An approach to measure the operational security of intrusion tolerant systems