Security Basics mailing list archives
RE: Looking For Security Metrics
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Fri, 28 Mar 2008 08:44:13 +1000
Day to day changes might occur due to measures you've taken to improve those defences, or to changes in the threat environment, but you can reasonably assert that higher values correlate with higher risk.
Thanks David. That's an excellent point.
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Friday, March 28, 2008 2:55 AM To: 'Sheldon Malm'; 'Murda Mcloud'; jmacaranas () fxdd com; security- basics () lists securityfocus com Subject: RE: Looking For Security MetricsIf you're talking about an enumerated list of things to cover, then CIS, NIST, and the collective works of mitre (particularly CCE and CVE) are a great place to start.An enumerated checklist -- an extremely useful tool! -- is not a metric. A metric doesn't just involve counting, it requires counting things that are sufficiently similar/interchangeable that comparing the counts taken under different conditions (typically different dates) can be usefully compared. If your count is 3 on day 1 and 7 on day 2, you'd like to be sure that means that the quality you're trying to measure ("security") is higher/better on day 2 than on day 1. But if those are counts of "top 10 preventive security measures", and the 3 on day 1 are the ones that are critical to your enterprise and the 7 on day 2 are just the remainder, then the meaning you had hoped for is not achieved. On the other hand, "number of recognizable attack packets from outside sources detected by a sensor inside the perimeter" is a reasonable (inverse) metric of the effectiveness of your perimeter defences in the current threat environment. Day to day changes might occur due to measures you've taken to improve those defences, or to changes in the threat environment, but you can reasonably assert that higher values correlate with higher risk. David Gillett
Current thread:
- Looking For Security Metrics david.durcsak (Mar 25)
- RE: Looking For Security Metrics jmacaranas (Mar 25)
- RE: Looking For Security Metrics Murda Mcloud (Mar 27)
- RE: Looking For Security Metrics Sheldon Malm (Mar 27)
- RE: Looking For Security Metrics David Gillett (Mar 27)
- RE: Looking For Security Metrics Murda Mcloud (Mar 28)
- Re: Looking For Security Metrics Charles H. Leggett (Mar 28)
- RE: Looking For Security Metrics Murda Mcloud (Mar 27)
- RE: Looking For Security Metrics jmacaranas (Mar 25)