Improving system security during the design phase is challenging but can be cost-effective in the long run. Security metrics are a way to measure and manage a system's ability to minimize possible attack opportunities. While several design-level security metrics exist to evaluate vulnerabilities in system design, it is unclear which metrics provide a sound scientific basis for their characterization. Lack of security knowledge among average development teams and the lack of tool support are additional challenges. In this work, we present a data-driven approach for the security evaluation of system designs to address the above challenges. The approach aims to incrementally improve system security and decision-making at design time. We integrate the attack surface metric which we found to be sound in our evaluation of widely-used security metrics and leverage external data sources to characterize the structural security posture of software systems. Several tools are developed to automate the approach.