http://www.networkworld.com/newsletters/sec/2009/052509sec2.html Security Strategies Alert By M. E. Kabay Network World 05/27/2009 One of the most difficult aspects of managing risk in information assurance (IA) is that our statistical information is so poor. We don't know about security breaches that we have not noticed; we don't report all the breaches that we do notice to any central collection point; and we use dreadful methodology for collecting information using poorly constructed surveys that have tiny percentages of respondents, no internal validation and no follow-up verification. On a practical level, the question arises of just exactly what we should be measuring (such as how to define security metrics) as ways of understanding and managing security issues. Dr. Gary Hinson, CISSP, CISA, CISM, MBA of Isect wrote an excellent paper entitled "Seven myths about information security metrics" that was originally published in the ISSA Journal in July 2006. Hinson thoughtfully and articulately challenges these seven common assertions (quoting the headings): 1. Metrics must be objective and tangible 2. Metrics must have discrete values 3. We need absolute measurements 4. Metrics are costly 5. You can't manage what you can't measure and you can't improve what you can't manage 6. It is essential to measure process outcomes 7. We need the numbers! [...] _____________________________________________ Visit the InfoSec News security bookstore! http://www.shopinfosecnews.orgReceived on Wed May 27 2009 - 22:14:28 PDT
This archive was generated by hypermail 2.2.0 : Wed May 27 2009 - 22:32:45 PDT