Using Attack Surface Area and Relative Attack Surface Quotient to Identify Attackability [ PDF ]

In March 2003, Microsoft engaged the Security and Technology Solutions practice of Ernst & Young LLP to validate the Relative Attack Surface Quotient (RASQ) model developed by Microsoft, which quantifies the relative "attackability" provided by each of its operating system platforms.

The model provides a methodology to compute the attackability of Microsoft Windows server operating systems by describing potential exploit points and assigning a relative vulnerability level based on exploits that occur in the real world. Ernst & Young conclude that Windows Server 2003 is the least attackable operating system Microsoft has ever released.