Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is there any way to measure IT Security??

from [prasanna.mukundan] Network Security [Permanent Link]
Subject: RE: Is there any way to measure IT Security??
Date: Tue, 16 Aug 2005 13:26:20 +0530 

Andrew,







1)  The costs associated with a future breach (including the effect on

intangible assets such as customer goodwill).



*Should* be fairly straight forward. Loss of customer goodwill depends
largely on the type of organization, doesn't it?

And the costs can be factored in, if you can classify the breach(es)
possible, isn't it? (although any possible litigation cost cannot
probably be estimated)





2)  The true picture of vulnerability within an environment.

I agree, don't think this one is possible.





3)  The probability that an attack will occur.

Again depends on the organization, and how much of its work is online,
or exposed network. not to mention the ease it presents to attackers!
;-)





And, 4)  A way to map those metrics to the CIA triad.

Not quite sure if I can answer that, someone else can probably answer
that.





Rgds,

Prasanna





-----Original Message-----
From: Andrew Stewart [mailto:andrew_j_stewart@mac.com]
Sent: Sunday, August 14, 2005 1:51 AM
To: security-management@securityfocus.com
Subject: Re: Is there any way to measure IT Security??





On Jul 28, 2005, at 7:56 PM, Fernando Martins wrote:




The technique must be risk analysis, considering the actual risks,



vulnerabilities and loss costs estimation.



If you want to measure, you must reduce everything to numbers. Start



with the loss costs for your confidentiality, integrity and



availability...



Identify the vulnerabilities and the probability of a specific



accident ...



Define levels of security and the types of possible enemies ...



At the end you will get 2/3 charts that have the measure of your



security ...




You are suggesting that it is possible to identify:



1)  The costs associated with a future breach (including the effect on

intangible assets such as customer goodwill).

2)  The true picture of vulnerability within an environment.

3)  The probability that an attack will occur.



And, 4)  A way to map those metrics to the CIA triad.



I'm interested to know how, exactly.



  - A







Confidentiality Notice

The information contained in this electronic message and any attachments to 
this message are intended
for the exclusive use of the addressee(s) and may contain confidential or 
privileged information. If
you are not the intended recipient, please notify the sender at Wipro or 
Mailadmin@wipro.com immediately
and destroy all copies of this message and any attachments.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Security program development (Plan), Larry Erdahl
Next by Date:  anti-phishing implementation, Bjorn Borg
Previous by Thread:  Re: Is there any way to measure IT Security??, Richard . Sullivan
Next by Thread:  Re: Infosec User Awareness And Training Handbook, Gunnar Kopperud
Indexes:  [Date] [Thread] [Top] [All Lists]