Nabil Malik - Security performance metrics
Upcoming SlideShare
Loading in...5

Nabil Malik - Security performance metrics






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Information Security – The protection of critical Information / data, from its construction till destruction, irrelevant where it is located (Technology, Paper, Mind). It is more of a governance and management issue, rather then being only a technical issue. It is safe to say that Information Security is as subset of the risk management discipline. After all, they are the risks from which we need to protect the critical information assets. Risk Management – means taking deliberate action(s) to shift the odds/probability/chances in your favor – that is, increasing the odds of good outcomes and reducing the odds of bad outcomes. Example of car – Managing the risk of an accident. But, to change the odds, we have to know what the odds are, and we have to be able to detect how the odds change under our influence. To do this, we need security metrics.Define Security Metrics – Security Metrics are the servants of risk management, and risk management is about making decisions. Therefore, the only security metrics we are interested in are those that support decision making about risk.- Security measurement are not only required for improvement. It is a must to manage the risk… And this is where the traditional saying goes.‘ You cannot manage some thing that you cannot measure ‘.Security is one of the few area of management that does not possess a well-understood canon of techniques for measurement. In logistics, for example, metrics such as ‘freight cost per mile’ and ‘inventory warehouse turns’ help operators understand how efficiently are the trucking fleets and warehouses run. In finance we have ‘Value at Risk’. By contract, security has exactly nothing.

Nabil Malik - Security performance metrics Nabil Malik - Security performance metrics Presentation Transcript

  • Security Performance Metrics
    Nabil A. Malik
  • Agenda
    Security Evolution
    Security Metrics
    Measuring Technical Security
    Measuring Security Program
  • 1 - Background
    What is Information Security?
    What is Risk Management?
    Why do we need Security Measurements?
    Understanding Security Evolution
    Measuring Security
  • 2- Security Evolution
    The Past
    A Technical Function
    Technical Security – Firewall, IDS, Access Control
    The Present
    An Assurance Function – mostly Risk Management
    Risk Management Process
    The Doughnut-Shaped Cycle
    The Future
    Metrics supplementing Risk Management
  • 2 - Security Evolution
  • 2- Security Evolution
    Follow them, and you got risk management!
    Good for Vendors – Service charges at each cycle
    Unpleasant for Consumers – Never Clean
  • 2- Security Evolution
    The Problem:
    Captures the easy part (identification and fixing)
    Misses on the hard part (quantification and valuation of risk)
    Vendor tools are agnostic about the organizational context
    Real Risk Management should be identification, rating, mitigation, and above all, quantification ofthe risks
    Thus, today’s Risk Management = Identify + Fix
  • 2- Security Evolution
    FUD is the old-model (Past and Present)
    The FEAR of the catastrophic consequence of an information attack
    The UNCERTAINTY about Vulnerabilities
    The DOUBT about the sufficiency of existing controls
    Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?
  • 3 - Security Metrics
    Business Questions:
    Is my security better this year?
    What am I getting out of my security investment?
    How do I compare to my peers?
    Readily answered in other business context
    Silence and Embarrassment in security context
    Metric = “A system of measurement”
  • 3 - Security Metrics
    Good Metrics are:
    Consistently measured
    Cheap to gather
    Expressed as a cardinal number or percentage
    Expressed using at least one unit of measure
    Contextually specific
  • 4 – Measuring Technical SecurityPerimeter Defense - Email
  • 4 – Measuring Technical SecurityPerimeter Defense – Anti-Malware
  • 4 – Measuring Technical SecurityCoverage and Control
  • 4 – Measuring Technical SecurityAvailability and Reliability
  • 5 – Measuring Security Program
    Frameworks: COBIT, ISO 2700X, NIST..
    Security Program contains Controls
    Some Controls are also Processes
    Examples of Security Processes include:
    Risk Management
    Policy Development and Compliance
    Human Resource Security
    Human Education
    Incident Management
    Information Continuity Management
  • 5 – Measuring Security Program- Planning and Organization-
  • 5 – Measuring Security Program- Acquisition and Implementation -
  • 5 – Measuring Security Program- Delivery and Support -
  • 5 – Measuring Security Program- Delivery and Support -
  • 5 – Measuring Security Program- Monitor and Evaluate -
  • Questions?
    Nabil A. Malik