SlideShare une entreprise Scribd logo

Security Metrics [2008]

Télécharger en tant que PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

An introduction and overview presentation I gave in 2008 to the Northern UK Security Group in Leeds.

Business
1  sur  23
14/07/2008 Security Metrics Phil Huggins
14/07/2008 Security MetricsPage 2 Core Text Security Metrics : Replacing Fear, Uncertainty and Doubt Andy Jaquith, 2007 0-321-34998-9
14/07/2008 Security MetricsPage 3 Recommended Texts
14/07/2008 Security MetricsPage 4 Growing field ► Areas of interest ► Software security ► Modelling ► Benchmarking ► Return on investment ► Breach data ► Standards ► ISO / IEC 27004 ► NIST SP800-55 ► Communities ► Securitymetrics.org ► Metricsexchange.org ► Cybersecurity KTN
14/07/2008 Security MetricsPage 5 Securitymetrics.org ► Open mailing list and wiki ► Active community ► Established by Andy Jaquith ► Runs the US based Metricon and MiniMetricon events each year
14/07/2008 Security MetricsPage 6 Metricsexchange.org ► New open community group ► Established by Elizabeth Nichols ► Sharing metrics definitions, learning and data ► Early days, big ideas
14/07/2008 Security MetricsPage 7 Cybersecurity KTN – Metrics SIG ► UK Knowledge Trading Networks established by DTI ► Promoting collaboration between industry, academia and government ► Metrics Special Interest Group has focused on the delivery of the Internet Threat Exposure (ITE) Index ► Threat and Countermeasure focused metric of exposure ► Appears to be aimed at less sophisticated security practitioners ► Risk assessment-lite ? ► Currently being developed in an open group
14/07/2008 Security MetricsPage 8 Standards ► NIST SP800 – 55 ► Exhaustive list of possible security metrics to measure ► 99 pages ► No real sense of what is a useful metric ► Defines useful characteristics to describe a metric ► Performance Goal, Performance Objective, Metric, Purpose, Implementation Evidence, Frequency, Formula, Data Source, Indicator ► ISO/IEC 27004 ► Currently in draft / closed group ► Metrics covering the performance of an ISMS as defined in 27001 and 27002
14/07/2008 Security MetricsPage 9 Types of Security Metrics ► Risk Metrics ► Compliance Metrics ► Operational Metrics ► Quality Metrics ► Management Metrics ► Business Metrics ► Confusion among practitioners
14/07/2008 Security MetricsPage 10 Focus problems ► Technical Focus ► “What do we count?” ► Business Focus ► “What do we need to do and why?” ► Counting is the mechanical foundation ► The business wants the story the numbers tell ► Metrics are not the answer to funding problems
14/07/2008 Security MetricsPage 11 Other common problems ► Managing to the metric ► No longer focused on the result ► Measuring emerging threats ► Measuring last years breaches
14/07/2008 Security MetricsPage 12 Questions from the board ► Am I safe? ► Can I take responsibility for the actions of my company? ► Who handles my data? ► Who am I doing business with? ► Are they accountable?
14/07/2008 Security MetricsPage 13 Metricon practitioners top 10 metrics ► Data volumes transmitted to competition ► Coverage metrics ► Availability of business systems ► End user perception of security ► Legal fees paid out ► Total cost of information security ► Information asset value ► Count of events on systems ► Security control success rate ► Cost of security monitoring and reporting
14/07/2008 Security MetricsPage 14 Balanced Security Scorecards ► Complete: ► People, Process, Technology, Budgeting, Innovation, Organisational Planning, Operations ► Traditionally include four primary perspectives: ► Financial ► Customer ► Internal Processes ► Learning and Growth ► Jaquith has a comprehensive chapter on balanced security scorecards in his book
14/07/2008 Security MetricsPage 15 Geer’s Scorecard ► Finance ► Cost of data security per transaction ► Downtimes lost to attack by attack class ► Data flow per transaction and source ► Budget correlation with risk measures ► Process ► % of critical systems under a DR plan ► % of critical systems obeying the security policy ► MTBF & MTTR for security incidents ► Frequency of security team internal consultations ► Latency to obey security change orders by department
14/07/2008 Security MetricsPage 16 Geer’s Scorecard ► Learning and growth ► % of job reviews involving security ► % of security workers with training ► Ratio of B.U. security staff to central security staff ► Timely new system security consultations ► % of programs with budgeted security ► Customer ► % of SLAs with security standards ► % of tested external facing applications ► Number of non-employees with access ► % of data secure by default ► % of customer data outside the data centre
14/07/2008 Security MetricsPage 17 GE Global experience ► Metrics to drive behaviour ► Scorecard approach ► Business unit drill down and comparison views ► Communication plan was key ► Built a custom system piecemeal over several years ► Started with manual data, automated over time ► Now moving to a common platform ► Monolithic vs Composite data sources ► Centralised vs Business unit data sources
14/07/2008 Security MetricsPage 18 Dept of Veterans Affairs’ experience ► Didn‟t have common definitions of: ► What IT Security was ► What better IT security looked like ► The value of security ► Identified the security events that drove perception of security ► Focused on the frequency and impact of those events ► Did not ignore uncertainty! ► Results-focused
14/07/2008 Security MetricsPage 19 Intel’s experience ► Developed predictive model for future security incidents ► Used to provide ROI on „reduce the occurrence‟ controls NOT „reduce the effect‟ controls ► Needed to gather current state data first in order to identify „Annual Rate of Occurrence‟ ► 2 years of data from 20+ global locations ► Needed to estimate „Single Loss Expectancy‟ value for target environment ► Identified limited target groups to pilot controls in first to measure results ► Needed a LOT of data ► 87% accurate predictions over a 12 month period
14/07/2008 Security MetricsPage 20 Verizon 2008 Data Breach Investigations Report ► 500 Investigations over 4 Years ► 18% of breaches were the result of an unpatched system ► 90% of unpatched breaches had had patches publicly available for 6 months or more ► No more would have been prevented by a patch cycle shorter than a month ► There is a lot of useful data in this report
14/07/2008 Security MetricsPage 21 Dan Geer’s counterpoint ► We are losing ► The bad guys are in it for the money ► Attackers costs are continually falling ► Need to start measuring „attack metrics‟ ► Focus on increasing their cost of attack ► More cost effective to redirect than to resist
14/07/2008 Security MetricsPage 22 Marcus Ranum’s counterpoint ► Statistics only work where: ► Population is large ► Problems are common and widely shared ► Aggressors act consistently ► The only scores that matter are 0% and 100% ► Security is not „risk management‟ it is „complexity management‟
14/07/2008 Thank you phuggins@uk.ey.com

Recommandé

Metric stream elevating your compliance program with technology
Metric stream elevating your compliance program with technologyMetric stream elevating your compliance program with technology
Metric stream elevating your compliance program with technologyHernan Huwyler, MBA CPA
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationEthos Media S.A.
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and AnalysisLumension
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?Lumension
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources Fileguest0947de
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency SolutionsAnthony Dials
 
ComResource Business Solutions
ComResource Business SolutionsComResource Business Solutions
ComResource Business SolutionsAnthony Dials
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence SystemsNapier University
 

Recommandé

Metric stream elevating your compliance program with technology
Metric stream elevating your compliance program with technologyMetric stream elevating your compliance program with technology
Metric stream elevating your compliance program with technologyHernan Huwyler, MBA CPA
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationEthos Media S.A.
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and AnalysisLumension
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?Lumension
 
Security Metrics Resources File
Security Metrics Resources FileSecurity Metrics Resources File
Security Metrics Resources Fileguest0947de
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency SolutionsAnthony Dials
 
ComResource Business Solutions
ComResource Business SolutionsComResource Business Solutions
ComResource Business SolutionsAnthony Dials
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence SystemsNapier University
 
Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayInfo-Tech Research Group
 
Hernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a BreachHernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a BreachHernan Huwyler, MBA CPA
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2Ron Miller
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteHernan Huwyler, MBA CPA
 
Physical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the GovernmentPhysical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the GovernmentVidSys, Inc.
 
Marc Crudgington Who I Am
Marc Crudgington Who I AmMarc Crudgington Who I Am
Marc Crudgington Who I AmMarc Crudgington, MBA
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring SecurityChris Mullins
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesTechPoint
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Hernan Huwyler, MBA CPA
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRGraham Mann
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability CalibrationPhil Huggins FBCS CITP
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance InfographicPhil Huggins FBCS CITP
 

Contenu connexe

Tendances

Hernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a BreachHernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a BreachHernan Huwyler, MBA CPA
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2Ron Miller
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteHernan Huwyler, MBA CPA
 
Physical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the GovernmentPhysical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the GovernmentVidSys, Inc.
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring SecurityChris Mullins
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesTechPoint
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Hernan Huwyler, MBA CPA
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRGraham Mann
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 

Tendances (20)

Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security Gateway
 
Hernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a BreachHernan huwyler - Recovering From a Breach
Hernan huwyler - Recovering From a Breach
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
 
Physical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the GovernmentPhysical Security Information Management (PSIM) Solution for the Government
Physical Security Information Management (PSIM) Solution for the Government
 
Marc Crudgington Who I Am
Marc Crudgington Who I AmMarc Crudgington Who I Am
Marc Crudgington Who I Am
 
Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring Security
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
 
RISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — DoesRISK: When What Can Never Happen — Does
RISK: When What Can Never Happen — Does
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines School
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Project
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPR
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data Breach
 

En vedette

PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 

En vedette (20)

Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 

Similaire à Security Metrics [2008]

2018 Global State of Information Security Survey
2018 Global State of Information Security Survey2018 Global State of Information Security Survey
2018 Global State of Information Security SurveyIDG
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 Trends
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 TrendsCybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 Trends
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 TrendsIvanti
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsVMware Tanzu
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseElizabeth Dimit
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarLumension
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Paperjam_redaction
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...IAB Bulgaria
 
Ivan dragas get ahead of cybercrime
Ivan dragas get ahead of cybercrimeIvan dragas get ahead of cybercrime
Ivan dragas get ahead of cybercrimeDejan Jeremic
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceXenith Document Systems Ltd
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdfErickaDiaz24
 

Similaire à Security Metrics [2008] (20)

2018 Global State of Information Security Survey
2018 Global State of Information Security Survey2018 Global State of Information Security Survey
2018 Global State of Information Security Survey
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 Trends
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 TrendsCybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 Trends
Cybersercurity Resource Allocation & Efficacy Index: 2020 - 2021 Trends
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
 
ISAA
ISAAISAA
ISAA
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...
 
Ivan dragas get ahead of cybercrime
Ivan dragas get ahead of cybercrimeIvan dragas get ahead of cybercrime
Ivan dragas get ahead of cybercrime
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – Finance
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Emerging Trends in Application Security
Emerging Trends in Application Security Emerging Trends in Application Security
Emerging Trends in Application Security
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf
 

Dernier

7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdftbatkhuu1
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insightsseribangash
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 

Dernier (20)

7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdf
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insights
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
Nepali Escort Girl Kakori \ 9548273370 Indian Call Girls Service Lucknow ₹,9517
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 

Security Metrics [2008]

  • 2. 14/07/2008 Security MetricsPage 2 Core Text Security Metrics : Replacing Fear, Uncertainty and Doubt Andy Jaquith, 2007 0-321-34998-9
  • 3. 14/07/2008 Security MetricsPage 3 Recommended Texts
  • 4. 14/07/2008 Security MetricsPage 4 Growing field ► Areas of interest ► Software security ► Modelling ► Benchmarking ► Return on investment ► Breach data ► Standards ► ISO / IEC 27004 ► NIST SP800-55 ► Communities ► Securitymetrics.org ► Metricsexchange.org ► Cybersecurity KTN
  • 5. 14/07/2008 Security MetricsPage 5 Securitymetrics.org ► Open mailing list and wiki ► Active community ► Established by Andy Jaquith ► Runs the US based Metricon and MiniMetricon events each year
  • 6. 14/07/2008 Security MetricsPage 6 Metricsexchange.org ► New open community group ► Established by Elizabeth Nichols ► Sharing metrics definitions, learning and data ► Early days, big ideas
  • 7. 14/07/2008 Security MetricsPage 7 Cybersecurity KTN – Metrics SIG ► UK Knowledge Trading Networks established by DTI ► Promoting collaboration between industry, academia and government ► Metrics Special Interest Group has focused on the delivery of the Internet Threat Exposure (ITE) Index ► Threat and Countermeasure focused metric of exposure ► Appears to be aimed at less sophisticated security practitioners ► Risk assessment-lite ? ► Currently being developed in an open group
  • 8. 14/07/2008 Security MetricsPage 8 Standards ► NIST SP800 – 55 ► Exhaustive list of possible security metrics to measure ► 99 pages ► No real sense of what is a useful metric ► Defines useful characteristics to describe a metric ► Performance Goal, Performance Objective, Metric, Purpose, Implementation Evidence, Frequency, Formula, Data Source, Indicator ► ISO/IEC 27004 ► Currently in draft / closed group ► Metrics covering the performance of an ISMS as defined in 27001 and 27002
  • 9. 14/07/2008 Security MetricsPage 9 Types of Security Metrics ► Risk Metrics ► Compliance Metrics ► Operational Metrics ► Quality Metrics ► Management Metrics ► Business Metrics ► Confusion among practitioners
  • 10. 14/07/2008 Security MetricsPage 10 Focus problems ► Technical Focus ► “What do we count?” ► Business Focus ► “What do we need to do and why?” ► Counting is the mechanical foundation ► The business wants the story the numbers tell ► Metrics are not the answer to funding problems
  • 11. 14/07/2008 Security MetricsPage 11 Other common problems ► Managing to the metric ► No longer focused on the result ► Measuring emerging threats ► Measuring last years breaches
  • 12. 14/07/2008 Security MetricsPage 12 Questions from the board ► Am I safe? ► Can I take responsibility for the actions of my company? ► Who handles my data? ► Who am I doing business with? ► Are they accountable?
  • 13. 14/07/2008 Security MetricsPage 13 Metricon practitioners top 10 metrics ► Data volumes transmitted to competition ► Coverage metrics ► Availability of business systems ► End user perception of security ► Legal fees paid out ► Total cost of information security ► Information asset value ► Count of events on systems ► Security control success rate ► Cost of security monitoring and reporting
  • 14. 14/07/2008 Security MetricsPage 14 Balanced Security Scorecards ► Complete: ► People, Process, Technology, Budgeting, Innovation, Organisational Planning, Operations ► Traditionally include four primary perspectives: ► Financial ► Customer ► Internal Processes ► Learning and Growth ► Jaquith has a comprehensive chapter on balanced security scorecards in his book
  • 15. 14/07/2008 Security MetricsPage 15 Geer’s Scorecard ► Finance ► Cost of data security per transaction ► Downtimes lost to attack by attack class ► Data flow per transaction and source ► Budget correlation with risk measures ► Process ► % of critical systems under a DR plan ► % of critical systems obeying the security policy ► MTBF & MTTR for security incidents ► Frequency of security team internal consultations ► Latency to obey security change orders by department
  • 16. 14/07/2008 Security MetricsPage 16 Geer’s Scorecard ► Learning and growth ► % of job reviews involving security ► % of security workers with training ► Ratio of B.U. security staff to central security staff ► Timely new system security consultations ► % of programs with budgeted security ► Customer ► % of SLAs with security standards ► % of tested external facing applications ► Number of non-employees with access ► % of data secure by default ► % of customer data outside the data centre
  • 17. 14/07/2008 Security MetricsPage 17 GE Global experience ► Metrics to drive behaviour ► Scorecard approach ► Business unit drill down and comparison views ► Communication plan was key ► Built a custom system piecemeal over several years ► Started with manual data, automated over time ► Now moving to a common platform ► Monolithic vs Composite data sources ► Centralised vs Business unit data sources
  • 18. 14/07/2008 Security MetricsPage 18 Dept of Veterans Affairs’ experience ► Didn‟t have common definitions of: ► What IT Security was ► What better IT security looked like ► The value of security ► Identified the security events that drove perception of security ► Focused on the frequency and impact of those events ► Did not ignore uncertainty! ► Results-focused
  • 19. 14/07/2008 Security MetricsPage 19 Intel’s experience ► Developed predictive model for future security incidents ► Used to provide ROI on „reduce the occurrence‟ controls NOT „reduce the effect‟ controls ► Needed to gather current state data first in order to identify „Annual Rate of Occurrence‟ ► 2 years of data from 20+ global locations ► Needed to estimate „Single Loss Expectancy‟ value for target environment ► Identified limited target groups to pilot controls in first to measure results ► Needed a LOT of data ► 87% accurate predictions over a 12 month period
  • 20. 14/07/2008 Security MetricsPage 20 Verizon 2008 Data Breach Investigations Report ► 500 Investigations over 4 Years ► 18% of breaches were the result of an unpatched system ► 90% of unpatched breaches had had patches publicly available for 6 months or more ► No more would have been prevented by a patch cycle shorter than a month ► There is a lot of useful data in this report
  • 21. 14/07/2008 Security MetricsPage 21 Dan Geer’s counterpoint ► We are losing ► The bad guys are in it for the money ► Attackers costs are continually falling ► Need to start measuring „attack metrics‟ ► Focus on increasing their cost of attack ► More cost effective to redirect than to resist
  • 22. 14/07/2008 Security MetricsPage 22 Marcus Ranum’s counterpoint ► Statistics only work where: ► Population is large ► Problems are common and widely shared ► Aggressors act consistently ► The only scores that matter are 0% and 100% ► Security is not „risk management‟ it is „complexity management‟