[ISN] NIST suggests areas for further security metrics research

From: InfoSec News <alerts_at_private>
Date: Wed, 11 Mar 2009 01:08:14 -0600 (CST)
http://gcn.com/articles/2009/03/09/nist-security-metrics.aspx

By William Jackson
GCN.com
Mar 09, 2009

Computer security is a difficult thing to quantify because, if done 
right, nothing happens. How, then, do you measure what didn't happen?

Nevertheless, meaningful metrics are necessary so security can become a 
reliable, repeatable process with the necessary levels of assurance. The 
National Institute of Standards and Technology (NIST) doesn't have the 
answer for this, but scientists in its Computer Security Division have 
identified some areas for further research they hope might yield 
results.

"Security metrics is an area of computer security that has been 
receiving a good deal of attention lately," the agency said in the draft 
of the new interagency report, titled "Directions in Security Metrics 
Research." "It is not a new topic, but one which receives focused 
interest sporadically."

So far, this interest has not produced many actual metrics that have 
proven useful in practice. "Advancing the state of scientifically sound, 
security measures and metrics would greatly aid the design, 
implementation, and operation of secure information systems," the report 
states.

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Wed Mar 11 2009 - 00:08:14 PDT

This archive was generated by hypermail 2.2.0 : Wed Mar 11 2009 - 00:16:49 PDT