This paper presents the results of an experiment in security evaluation. Th
e system is modeled as a privilege graph that exhibits its security vulnera
bilities. Quantitative measures that estimate the effort an attacker might
expend to exploit these Vulnerabilities to defeat the system security objec
tives are proposed. A set of tools has been developed to compute such measu
res and has been used in an experiment to monitor a large real system for n
early two years. The experimental results are presented and the validity of
the measures is discussed. Finally, the practical usefulness of such tools
for operational security monitoring is shown and a comparison with other e
xisting approaches is given.