Security metrics are the tools for providing correct and upto-date information about a state of security. This information is essential for managing security efficiently. Although a number of security metrics were proposed we still need reliable ways for assessment of security. First of all, we do not have a widely-accepted and unambiguous definition which defines what it means that one system is more secure than another one. Without this knowledge we cannot show that a metric really measures security. Second, there is no a universal formal model for all metrics which can be used for rigourous analysis. In this paper we investigate how we can define "more secure" relation and propose our basic formal model for a description and analysis of security metrics. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Miscellaneous--Security; K.6.4 [Management of Computing and Information Systems]: System Management--Quality assurance; D.2.8 [So...