RE: Looking For Security Metrics

["David Gillett" <gillettdavid () fhda edu>]

> If you're talking about an enumerated list of things to 
> cover, then CIS, NIST, and the collective works of mitre 
> (particularly CCE and CVE) are a great place to start.  

  An enumerated checklist -- an extremely useful tool! --
is not a metric.  

  A metric doesn't just involve counting, it requires counting 
things that are sufficiently similar/interchangeable that 
comparing the counts taken under different conditions (typically
different dates) can be usefully compared.  If your count is
3 on day 1 and 7 on day 2, you'd like to be sure that means that
the quality you're trying to measure ("security") is higher/better
on day 2 than on day 1.
  But if those are counts of "top 10 preventive security measures",
and the 3 on day 1 are the ones that are critical to your enterprise
and the 7 on day 2 are just the remainder, then the meaning you
had hoped for is not achieved.

  On the other hand, "number of recognizable attack packets from 
outside sources detected by a sensor inside the perimeter" is a
reasonable (inverse) metric of the effectiveness of your perimeter 
defences in the current threat environment.  Day to day changes 
might occur due to measures you've taken to improve those defences,
or to changes in the threat environment, but you can reasonably assert
that higher values correlate with higher risk.

David Gillett