[ISN] Security metrics research

From: InfoSec News <alerts_at_private>
Date: Thu, 28 May 2009 00:14:28 -0500 (CDT)

Security Strategies Alert  
By M. E. Kabay  
Network World 

One of the most difficult aspects of managing risk in information 
assurance (IA) is that our statistical information is so poor. We don't 
know about security breaches that we have not noticed; we don't report 
all the breaches that we do notice to any central collection point; and 
we use dreadful methodology for collecting information using poorly 
constructed surveys that have tiny percentages of respondents, no 
internal validation and no follow-up verification.

On a practical level, the question arises of just exactly what we should 
be measuring (such as how to define security metrics) as ways of 
understanding and managing security issues.

Dr. Gary Hinson, CISSP, CISA, CISM, MBA of Isect wrote an excellent 
paper entitled "Seven myths about information security metrics" that was 
originally published in the ISSA Journal in July 2006. Hinson 
thoughtfully and articulately challenges these seven common assertions 
(quoting the headings):

1. Metrics must be objective and tangible
2. Metrics must have discrete values
3. We need absolute measurements
4. Metrics are costly
5. You can't manage what you can't measure and you can't improve what 
   you can't manage 
6. It is essential to measure process outcomes 
7. We need the numbers!


Visit the InfoSec News security bookstore!
Received on Wed May 27 2009 - 22:14:28 PDT

This archive was generated by hypermail 2.2.0 : Wed May 27 2009 - 22:32:45 PDT