Twenty-Four Seven Security

ebizQ

Can You Measure Risk? What About Security?

user-pic
By ebizQ on August 12, 2008 4:53 PM 0 0 Vote 0 Votes

Would you ever work a job that didn't tell you what you were making or when you were making it. On occasional payday, sometimes your paycheck would be there, and sometimes it wouldn't. In a free country, I can pretty much say that job would mostly go unfilled. So why do security solutions keep expecting us to pay with the same indeterminate results. Better yet, how might we measure those results.

According to Patrick Foley, security metrics represent "a great untamed wilderness" for organizations trying to determine both their risk profile and the effectiveness of the resources they've allocated to their security program.

He writes: "When I first became a security person after a career managing customer service, the most succinct argument I heard for security metrics was that you can't measure a negative. In other words, you could not determine whether a security control was effective until it failed...at which point you could determine that it was ineffective and you needed to spend more money theoretically making it more effective until it failed again."

Foley thinks there are probably no universally perfect security metrics -- but there are potential models in the securities trading and insurance fields that might provide some guidance for building security metrics models. The security industry's challenge is gathering the amount of current and historical data those other industries use to build their risk models.

Further, we need a reasonably consistent and universal framework for measuring and testing security controls. Some of the regulation like PCI and HIPAA are potentially prescriptive enough to serve as a starting point, but they are a far cry from the frameworks that financial auditors use. While many of us would chafe at the imposition of more regulations, we'd likely benefit from a codification of universal security requirements against which we can measure ourselves, Foley believes.

And in terms of accepting a job with indeterminate pay, I did that job for ten years. I was a humor writer living in NYC, and you know what took me ten years to realize? The joke was on me.

More Articles:

« Is Computer Security Just an Illusion? | Main | The Illegal Tender of Identity Theft! A Sobering Talk with Jefferson Wells »

No TrackBacks

TrackBack URL: http://www.ebizq.net/MT4/mt-tb.cgi/11035

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Managing Editor at ebizQ. Peter is also very popular blogger in IT Security space. Prior to this Peter managed the database operations for a major cigar company, served as writer/editor of an early internet entertainment site, and also developed a computer accounting system for several retail stores. Peter can be reached at pschooff (at) ebizQ.net and at (914) 712-1500 ext. 273.


Subscribe

 Subscribe in a reader

Recently Commented On

Monthly Archives

ADVERTISEMENT