Day to day changes
might occur due to measures you've taken to improve those defences,
or to changes in the threat environment, but you can reasonably assert
that higher values correlate with higher risk.
Thanks David. That's an excellent point.
-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: Friday, March 28, 2008 2:55 AM
To: 'Sheldon Malm'; 'Murda Mcloud'; jmacaranas@fxdd.com; security-
basics@lists.securityfocus.com
Subject: RE: Looking For Security Metrics
If you're talking about an enumerated list of things to
cover, then CIS, NIST, and the collective works of mitre
(particularly CCE and CVE) are a great place to start.
An enumerated checklist -- an extremely useful tool! --
is not a metric.
A metric doesn't just involve counting, it requires counting
things that are sufficiently similar/interchangeable that
comparing the counts taken under different conditions (typically
different dates) can be usefully compared. If your count is
3 on day 1 and 7 on day 2, you'd like to be sure that means that
the quality you're trying to measure ("security") is higher/better
on day 2 than on day 1.
But if those are counts of "top 10 preventive security measures",
and the 3 on day 1 are the ones that are critical to your enterprise
and the 7 on day 2 are just the remainder, then the meaning you
had hoped for is not achieved.
On the other hand, "number of recognizable attack packets from
outside sources detected by a sensor inside the perimeter" is a
reasonable (inverse) metric of the effectiveness of your perimeter
defences in the current threat environment. Day to day changes
might occur due to measures you've taken to improve those defences,
or to changes in the threat environment, but you can reasonably assert
that higher values correlate with higher risk.
David Gillett
