Security Strategies Alert
By M. E. Kabay
One of the most difficult aspects of managing risk in information
assurance (IA) is that our statistical information is so poor. We don't
know about security breaches that we have not noticed; we don't report
all the breaches that we do notice to any central collection point; and
we use dreadful methodology for collecting information using poorly
constructed surveys that have tiny percentages of respondents, no
internal validation and no follow-up verification.
On a practical level, the question arises of just exactly what we should
be measuring (such as how to define security metrics) as ways of
understanding and managing security issues.
Dr. Gary Hinson, CISSP, CISA, CISM, MBA of Isect wrote an excellent
paper entitled "Seven myths about information security metrics" that was
originally published in the ISSA Journal in July 2006. Hinson
thoughtfully and articulately challenges these seven common assertions
(quoting the headings):
1. Metrics must be objective and tangible
2. Metrics must have discrete values
3. We need absolute measurements
4. Metrics are costly
5. You can't manage what you can't measure and you can't improve what
you can't manage
6. It is essential to measure process outcomes
7. We need the numbers!
Visit the InfoSec News security bookstore!