Information Security – The protection of critical Information / data, from its construction till destruction, irrelevant where it is located (Technology, Paper, Mind). It is more of a governance and management issue, rather then being only a technical issue. It is safe to say that Information Security is as subset of the risk management discipline. After all, they are the risks from which we need to protect the critical information assets. Risk Management – means taking deliberate action(s) to shift the odds/probability/chances in your favor – that is, increasing the odds of good outcomes and reducing the odds of bad outcomes. Example of car – Managing the risk of an accident. But, to change the odds, we have to know what the odds are, and we have to be able to detect how the odds change under our influence. To do this, we need security metrics.Define Security Metrics – Security Metrics are the servants of risk management, and risk management is about making decisions. Therefore, the only security metrics we are interested in are those that support decision making about risk.- Security measurement are not only required for improvement. It is a must to manage the risk… And this is where the traditional saying goes.‘ You cannot manage some thing that you cannot measure ‘.Security is one of the few area of management that does not possess a well-understood canon of techniques for measurement. In logistics, for example, metrics such as ‘freight cost per mile’ and ‘inventory warehouse turns’ help operators understand how efficiently are the trucking fleets and warehouses run. In finance we have ‘Value at Risk’. By contract, security has exactly nothing.
Transcript of "Nabil Malik - Security performance metrics"
Security Performance Metrics<br />Nabil A. Malik<br />email@example.com<br />
1 - Background<br />What is Information Security?<br />What is Risk Management?<br />Why do we need Security Measurements?<br />Objectives:<br />Understanding Security Evolution<br />Measuring Security<br />
2- Security Evolution<br />Assessment<br />Reporting<br />Prioritization<br />Mitigation<br />Follow them, and you got risk management!<br />Good for Vendors – Service charges at each cycle<br />Unpleasant for Consumers – Never Clean<br />
2- Security Evolution<br />The Problem:<br />Captures the easy part (identification and fixing)<br />Misses on the hard part (quantification and valuation of risk)<br />Vendor tools are agnostic about the organizational context<br />Real Risk Management should be identification, rating, mitigation, and above all, quantification ofthe risks<br />Thus, today’s Risk Management = Identify + Fix<br />
2- Security Evolution<br />FUD is the old-model (Past and Present)<br />FEAR, UNCERTAINTY, and DOUBT (FUD)<br />The FEAR of the catastrophic consequence of an information attack<br />The UNCERTAINTY about Vulnerabilities<br />The DOUBT about the sufficiency of existing controls<br />Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?<br />
3 - Security Metrics<br />Business Questions:<br />Is my security better this year?<br />What am I getting out of my security investment?<br />How do I compare to my peers?<br />Answers:<br />Readily answered in other business context<br />Silence and Embarrassment in security context<br />Metric = “A system of measurement”<br />
3 - Security Metrics<br />Good Metrics are:<br />Consistently measured<br />Cheap to gather<br />Expressed as a cardinal number or percentage<br />Expressed using at least one unit of measure<br />Contextually specific<br />