Security Basics mailing list archives

Re: Looking For Security Metrics

From: "Charles H. Leggett" <chl () uga edu>
Date: Fri, 28 Mar 2008 08:44:49 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/2008 11:19 AM, Sheldon Malm wrote:
...

If, by metrics, you mean risk scoring and trending over time, there is
little available in the public domain than CVSS today.  Vendors have
their own proprietary risk metrics (nCircle has a composite score as
well as CVSS built into IP360; most others use HIGH/MEDIUM/LOW), and
there are countless conceptual risk frameworks (mostly academic today).


This may be one of the "conceptual risk frameworks" to which Sheldon is
referring but, I am reading up on the ISECOM (http://www.isecom.org)
Risk Assessment Values or RAVs which they use in their Open Source
Security Testing Methodology Manual (OSSTMM).  More information can be
found here:

http://www.isecom.org/research/ravs.shtml
and
http://www.isecom.org/osstmm/

...


- --
Charles H. Leggett
EITS - Information Security
chl () uga edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH7OhACXOdLnAjU80RAlrMAJ9n9ZJqJBr7yJWiEm2KtdXyi+Bb/ACg0ayt
46N5lixpIaP9R6WVJIMuk94=
=eqrm
-----END PGP SIGNATURE-----

Current thread:

Looking For Security Metrics david.durcsak (Mar 25)
- RE: Looking For Security Metrics jmacaranas (Mar 25)
  - RE: Looking For Security Metrics Murda Mcloud (Mar 27)
    - RE: Looking For Security Metrics Sheldon Malm (Mar 27)
    - RE: Looking For Security Metrics David Gillett (Mar 27)
    - RE: Looking For Security Metrics Murda Mcloud (Mar 28)
    - Re: Looking For Security Metrics Charles H. Leggett (Mar 28)