On Mar 1, 2006, at 2:33 PM, jblackley@sysmatrix.net wrote:
Fred,
at the tail end of your last post on this subject, you closed with,
"What am I missing."
Can you put your great experience to use and tell us what would be
useful to measure and what would be helpful in interpreting risk
data? (As opposed to only pointing out why the suggested items
would not be helpful.)
I have tried to do this in a number of ways:
A talk on security metrics given at the CSI conference a few months
ago - a copy of the slides are at all.net under "Recent Talks" ->
Security Metrics talk at CSI on 2005-11-14
The architecture model (at all.net - "Architecture") which gives the
top-down starting point for the model I think you should try to
measure against.
The book "Security Metrics" (asp-press.com) that provides detailed
metrics (200 pages + of them) and includes baseline values for
startup, diligence, average, good, best programs in each of the areas.
The risk management issue is of only limited value in measurement of
a program because program elements are not directed at specific items
that induce risks but rather reduce risks across the board in
different ways and places for each risk item. Again, you can read in
more detail about this approach at all.net under "Protection Posture
Assessments" and in the "Governance Guidebook" (asp-press).
I hope that these free and for fee resources will provide most of the
answers you seek, but I would be happy to go into more detail here
and there on list - at the risk of boring you all to tears.
FC
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-press.com Livermore, CA 94550
