SlideShare a Scribd company logo

Chicago Security Meetup 08/2016

Michael Roytman
Michael Roytman

Security Metrics are often about the performance of information security professionals - traditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how successful your metrics program is at operationalizing that which is necessary to prevent a breach? The data we'll explore defined the 2016 Verizon DBIR Vulnerabilities section. This talk will borrow concepts from epidemiology, repeated game theory, classical and causal probability theory in order to demonstrate some inventive metrics for evaluating vulnerability management strategies. Not all vulnerabilities are at risk of being breached. Not all people are at risk for catching the flu. By analogy, we are trying to be effective at catching the "disease" of vulnerabilities which are susceptible to breaches, and not all are. How do we determine what is truly critical? How do we determine if we are effective at remediating what is truly critical? Because the incidence of disease is unknown, the absolute risk can not be calculated. This talk will introduce some concepts from other fields for dealing with infosec uncertainty. Attackers are human too - and currently available data allows us to make some predictions about how they'll behave. And to predict is to prevent.

Internet
1 of 45
Download to read offline
MR.HUMAN: VULNERABILITY MANAGEMENT FROM THE ATTACKER’S PERSPECTIVE @MROYTMAN
“Our key to success is knowing the network better than the people who set it up.” -Rob Joyce, Director, NSA TAO
“The NSA tires known CVEs and SQLi first.” -Rob Joyce, Director, NSA TAO
“The NSAs worst nightmare is a sysadmin who pays attention.” -Rob Joyce, Director, NSA TAO
INFOSEC: 1. Is slow. 2. Is lazy. 3. Loves hype.
SLOW
LAZY
<3 HYPE
ATTACKERS: 1. Automate. 2. Are just as lazy as you are. 3. Focus on what works.
1. ATTACKERS ARE BETTER AT AUTOMATION
ATTACKERS ARE FAST
ATTACKERS ARE BETTER AT AUTOMATION
Q1 Q2 Q3 Q4
WE NEED BETTER AUTOMATION
WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
MANUAL
WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
SOMETIMES WE MAKE BAD DECISIONS SOMETIMES WE HAVE BAD METRICS
METRICS ARE DECISION SUPPORT
GOOD METRICS ARE OBJECTIVE FUNCTIONS FOR AUTOMATION
WHAT MAKES A METRIC GOOD?
HEARTBLEED CVSS 5 SHELLSHOCK CVSS 10 POODLE CVSS 4.3
CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
ATTACKERS CHANGE TACTICS DAILY
WHAT DEFINES A GOOD METRIC? GOOD DATA
WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
2. ATTACKERS ARE JUST AS LAZY AS YOU ARE
YOU NEED DATA TO MAKE DATA
METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value (the proportion of positive test results that are true positives) of remediating a vulnerability with property X:
3. ATTACKERS FOCUS ON WHAT WORKS
ATTACKERS: 1. Automate. 2. Are just as lazy as you are. 3. Focus on what works.
ATTACKERS: 1. Spray and pray. 2. Use Metasploit. 3. Exploit more than patch tuesday.
KENNASECURITY.COM @MROYTMAN
References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.

Recommended

Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling Methods
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling MethodsContextual Dissonance: Design Bias in Sensor-Based Experience Sampling Methods
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling MethodsNeal Lathia
 
Tips & Tricks To Reducing TTR
Tips & Tricks To Reducing TTRTips & Tricks To Reducing TTR
Tips & Tricks To Reducing TTRVictorOps
 
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03drewz lin
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 

Recommended

Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling Methods
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling MethodsContextual Dissonance: Design Bias in Sensor-Based Experience Sampling Methods
Contextual Dissonance: Design Bias in Sensor-Based Experience Sampling MethodsNeal Lathia
 
Tips & Tricks To Reducing TTR
Tips & Tricks To Reducing TTRTips & Tricks To Reducing TTR
Tips & Tricks To Reducing TTRVictorOps
 
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03drewz lin
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionJonathan Cran
 
HPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkHPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkJohn D. Park
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...Pete Burnap
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 
Yichu (Eric) Jin
Yichu (Eric) JinYichu (Eric) Jin
Yichu (Eric) JinYichu Jin
 
PoSicionES dE SexO
PoSicionES dE SexOPoSicionES dE SexO
PoSicionES dE SexOfernado altuve
 
Algoritmo
AlgoritmoAlgoritmo
AlgoritmoJUAN BERMUDEZ
 
Android secure coding
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
La culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, LuxembourgLa culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, LuxembourgMorena Coaching International
 
ELD Standards and CCSS
ELD Standards and CCSSELD Standards and CCSS
ELD Standards and CCSSCarla Piper
 
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...Global Business Events
 
Design Thinking and Engineering for Young Students
Design Thinking and Engineering for Young StudentsDesign Thinking and Engineering for Young Students
Design Thinking and Engineering for Young StudentsJessica Lura
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)Rebecca Ferriday
 
THE BIG FOUR
THE BIG FOURTHE BIG FOUR
THE BIG FOURICFAI Business School
 
SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015Ayikobua Geoffrey
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanMichael Roytman
 

More Related Content

What's hot

Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionJonathan Cran
 
HPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkHPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkJohn D. Park
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...Pete Burnap
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 

What's hot (7)

Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
 
HPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkHPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnPark
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What Matters
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
 
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
Real-time Classification of Malicious URLs on Twitter using Machine Activity ...
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 

Viewers also liked

Yichu (Eric) Jin
Yichu (Eric) JinYichu (Eric) Jin
Yichu (Eric) JinYichu Jin
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
La culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, LuxembourgLa culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, LuxembourgMorena Coaching International
 
ELD Standards and CCSS
ELD Standards and CCSSELD Standards and CCSS
ELD Standards and CCSSCarla Piper
 
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...Global Business Events
 
Design Thinking and Engineering for Young Students
Design Thinking and Engineering for Young StudentsDesign Thinking and Engineering for Young Students
Design Thinking and Engineering for Young StudentsJessica Lura
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)Rebecca Ferriday
 
SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015Ayikobua Geoffrey
 

Viewers also liked (14)

Yichu (Eric) Jin
Yichu (Eric) JinYichu (Eric) Jin
Yichu (Eric) Jin
 
PoSicionES dE SexO
PoSicionES dE SexOPoSicionES dE SexO
PoSicionES dE SexO
 
Algoritmo
AlgoritmoAlgoritmo
Algoritmo
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
La culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, LuxembourgLa culture sécurité-santé et le coaching, Luxembourg
La culture sécurité-santé et le coaching, Luxembourg
 
ELD Standards and CCSS
ELD Standards and CCSSELD Standards and CCSS
ELD Standards and CCSS
 
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
Richard Horton, Head of Transport Development for Travis Perkins - Operationa...
 
Design Thinking and Engineering for Young Students
Design Thinking and Engineering for Young StudentsDesign Thinking and Engineering for Young Students
Design Thinking and Engineering for Young Students
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)Students for Kids International Projects (SKIP)
Students for Kids International Projects (SKIP)
 
THE BIG FOUR
THE BIG FOURTHE BIG FOUR
THE BIG FOUR
 
SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015SNV_VALUE ADDED LETTER, , 14 2015
SNV_VALUE ADDED LETTER, , 14 2015
 

Similar to Chicago Security Meetup 08/2016

Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanMichael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyKenna
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
 
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkMalware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
 
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkMalware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkIJNSA Journal
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIOSR Journals
 
Cyber Security Models - CxT Group
Cyber Security Models - CxT GroupCyber Security Models - CxT Group
Cyber Security Models - CxT GroupCXT Group
 
Week 6 GuidancePsychological ResearchThere are many ways to co
Week 6 GuidancePsychological ResearchThere are many ways to coWeek 6 GuidancePsychological ResearchThere are many ways to co
Week 6 GuidancePsychological ResearchThere are many ways to coladonnacamplin
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...IJNSA Journal
 
System Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingSystem Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingIJNSA Journal
 
A predictive framework for cyber security analytics using attack graphs
A predictive framework for cyber security analytics using attack graphsA predictive framework for cyber security analytics using attack graphs
A predictive framework for cyber security analytics using attack graphsIJCNCJournal
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerKim Hammar
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxhealdkathaleen
 

Similar to Chicago Security Meetup 08/2016 (20)

Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security Strategy
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use case
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docx
 
Msc dare journal 1
Msc dare journal 1Msc dare journal 1
Msc dare journal 1
 
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkMalware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
 
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief NetworkMalware Risk Analysis on the Campus Network with Bayesian Belief Network
Malware Risk Analysis on the Campus Network with Bayesian Belief Network
 
Charan Resume
Charan ResumeCharan Resume
Charan Resume
 
Intrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile NetworksIntrusion Detection Techniques In Mobile Networks
Intrusion Detection Techniques In Mobile Networks
 
Cyber Security Models - CxT Group
Cyber Security Models - CxT GroupCyber Security Models - CxT Group
Cyber Security Models - CxT Group
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Week 6 GuidancePsychological ResearchThere are many ways to co
Week 6 GuidancePsychological ResearchThere are many ways to coWeek 6 GuidancePsychological ResearchThere are many ways to co
Week 6 GuidancePsychological ResearchThere are many ways to co
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
 
System Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats ModelingSystem Dynamics Based Insider Threats Modeling
System Dynamics Based Insider Threats Modeling
 
A predictive framework for cyber security analytics using attack graphs
A predictive framework for cyber security analytics using attack graphsA predictive framework for cyber security analytics using attack graphs
A predictive framework for cyber security analytics using attack graphs
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadler
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
 

More from Michael Roytman

Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Michael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Michael Roytman
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMichael Roytman
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 

More from Michael Roytman (9)

CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptx
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach Landscape
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 

Recently uploaded

The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxGal Baras
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shoplaozhuseo02
 

Recently uploaded (12)

The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

Chicago Security Meetup 08/2016

  • 2.
  • 3. “Our key to success is knowing the network better than the people who set it up.” -Rob Joyce, Director, NSA TAO
  • 4. “The NSA tires known CVEs and SQLi first.” -Rob Joyce, Director, NSA TAO
  • 5. “The NSAs worst nightmare is a sysadmin who pays attention.” -Rob Joyce, Director, NSA TAO
  • 6. INFOSEC: 1. Is slow. 2. Is lazy. 3. Loves hype.
  • 7.
  • 11.
  • 12. ATTACKERS: 1. Automate. 2. Are just as lazy as you are. 3. Focus on what works.
  • 13. 1. ATTACKERS ARE BETTER AT AUTOMATION
  • 18. WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
  • 20. WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
  • 21. SOMETIMES WE MAKE BAD DECISIONS SOMETIMES WE HAVE BAD METRICS
  • 24. WHAT MAKES A METRIC GOOD?
  • 26.
  • 27. CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
  • 29. WHAT DEFINES A GOOD METRIC? GOOD DATA
  • 30. WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
  • 31. TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
  • 32. WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
  • 33. 2. ATTACKERS ARE JUST AS LAZY AS YOU ARE
  • 34. YOU NEED DATA TO MAKE DATA
  • 35. METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 36. YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
  • 37. PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
  • 38. 0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value (the proportion of positive test results that are true positives) of remediating a vulnerability with property X:
  • 39. 3. ATTACKERS FOCUS ON WHAT WORKS
  • 40.
  • 41. ATTACKERS: 1. Automate. 2. Are just as lazy as you are. 3. Focus on what works.
  • 42. ATTACKERS: 1. Spray and pray. 2. Use Metasploit. 3. Exploit more than patch tuesday.
  • 44. References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
  • 45. A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.