• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Meaningfull security metrics

Meaningfull security metrics



A presentation slides given at NetFocus 2011 in Bournemouth.

A presentation slides given at NetFocus 2011 in Bournemouth.



Total Views
Views on SlideShare
Embed Views



2 Embeds 83

http://www.jirasekonsecurity.com 80
http://translate.googleusercontent.com 3



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies

Meaningfull security metrics Meaningfull security metrics Presentation Transcript

  • Meaningful and useful Security metrics
    Vladimir Jirasek
    5st Oct 2011
  • About me
    Security professional (11 years), current work at Nokia as Enterprise Security architect
    Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common-assurance.com)
    Director of Research, CSA UK & Ireland
    I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)
  • I will cover three topics today
    Information Security Model
    Metrics for CIO
    Metrics for Operations manager
    Metrics for CISO
    Metrics for CEO and the Board
  • Security model – business drives security
    Feedback: update business requirements
    International security standards
    Line Management
    Security management
    Correction of security processes
    Laws & Regulations
    Product Management
    Process framework
    Policy framework
    Metrics framework
    Information Security Metrics objectives
    Information Security Processes
    Information Security policies
    Program Management
    Measured by
    Information Security standards
    Risk & Compliance
    IT GRC
    Business objectives
    Information Security guidelines
    External security metrics
    Business impact
    Measure security maturity
    Execute security controls
    Define security controls
    Security management
    Business & information risks
    Security intelligence
    Security Services
    Security Professionals
    Security threats
  • Security metrics characteristics
    Quantitative (ideally)
    With KPIs attached – know what is good and bad
    Linked to business objectives – money speaks
  • Metrics for CIO – (1) Policy compliance and control maturity
  • Metrics for CIO – (2) Value at risk*
    Asset values
    Maturity of controls
    System weaknesses
    Threat information
    Output – most likely (probability distribution) £ value of total exposure that IT organisation is exposed to
    Inspiration in BASEL II
    Work in progress
    * Eq most likely Total Exposure
  • Metrics for Ops manager
    The morning dilema: “Can I have a coffee or is there something urgent to fix?”
    Suggested metrics:
    A number/percentage of systems outside SLA for fixing security weaknesses (both patches and configuration errors) – details of highly critical offenders – sorted by value at risk
    Security incidents that resulted in breached SLA (SLA is both time and £ value)
    And of course: Value at Risk
    Quiz: Is “A number of critical vulnerabilities good metric?”
    Answer: Not on its own!
  • Metrics for CISO
    Gartner: by 2014 IT GRC and eGRC will merge in 70% of organisations. Likely head: CISO
    Relevant metrics:
    Value at Risk – includes IT and other departments
    Compliance matrix ( same as for CIO)
    Annual risk reduction - Difference between VaR now and last year compared to money spent
  • Showing value for money
    End year review: We have spent more than the risk reduction but there were no incidents!
    VaR can also increase with new business processes and changes in regulatory and threat landscape.
  • Metrics for CEO and board
    Total exposure (£) = Value at Risk indicator
    Unmanaged risk = likelihood there are risks that we do not know about = inverse of eGRC maturity
  • How do I know I have good metrics – metrics of metrics
    Decision effectiveness approach
    % of important management decisions that can be or have been influenced by double learning (i.e. revision and refinement of targets, measures, criteria, etc.)
    Investment approach
    % of security metrics costs for “exploratory/testing” vs. total metrics cost
    Cycle time from “Sense” to “Respond” for changing security metrics and management procedures.
    % of metrics that are collected and calculated automatically
    Cost of changing security metrics and management procedures as % of total security management costs.
    % of security metrics that do not tie to any decisions or decision processes (over-shoot)
    % of decisions that have inadequate metrics support (under-shoot)
    % of metrics which have significant number of false signals
  • Summary
    Metrics need to include monetary value otherwise the business leaders will not understand why the metrics are collected and presented
    Security (and GRC in general) are here to keep the company risk at acceptable level – that needs to be measured
    Link security metrics to policy which is linked to business objectives
    Boards do not like “un-managed risk”
    Measure the metrics