Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
An overview of how to develop SMART security metrics that are meaningful for targeted audience: operational, tactical and strategic. I discuss key performance and risk indicators and graphical presentation for your audience.
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
An overview of how to develop SMART security metrics that are meaningful for targeted audience: operational, tactical and strategic. I discuss key performance and risk indicators and graphical presentation for your audience.
Cybersecurity Incident Management PowerPoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management PowerPoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/2UPqMhg
When implementing change, there are significant risks that can cost millions in potential disruption. Learn how to assess the three risk categories and develop strategies to mitigate risk by downloading our whitepaper: Integrated Risk Analysis.
Resolver’s new platform, Core, is something you’ll hear a lot about over the next few days. This presentation provides an introduction to the foundations of Core, the applications that sit on top of Core, and the various use cases they address.
With the global financial crises finally settling, everyone – from government sectors, industries, consumers - has noticeably shifted their focus on how to prevent such a crisis from occurring again. As a result, a deluge of well-intentioned regulations that contribute to improving corporate transparency and risk management have been formulated. However, business needs to be reassessed in view of complexity, overlapping controls, and an increased level of scrutiny estimated to arise with this deluge of new regulations being implemented. Frameworks and methodologies for IT’s best practices that comprise of ISO 27001 and ISO 27002 offer a roadmap and strategy that organizations require, however, they need to be implemented and executed appropriately in accordance with the standard regulations.
Furthermore, an Information Risk Management methodology helps in prioritizing security investments. It concentrates on the critical information and key business advantages that highlight security investments based on the risk associated with data and other corresponding activities, in relation to the potential business reward, and also ensure repeatability. At this point, organizations often turn to frameworks like ISO 27002 and the PCI Data Security Standard.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
Organizations seeking a risk management solution may have trouble identifying a collaborative integrated platform that fits their needs. A good Risk Management Solution will scope potential risks and assess its impact on the enterprise goals and objectives. Here are the critical capabilities of a good risk management solution.
To learn more, visit: https://bit.ly/3vQ4DjC
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
In a rapidly changing world, companies struggle to keep up with constantly shifting compliance and risk exposure, both external and internal. Regulatory pressure and increasing executive demand for risk insight present evolving challenges for risk, audit, and compliance professionals who are being asked to do more with less. Governance, Risk, and Compliance (GRC) tools help organizations integrate their assurance activities across the three lines of defense, enable more efficient and effective assurance programs, and ultimately sustain the programs. Companies at the beginning of the GRC technology implementation lifecycle often fail to think through all of the components and key activities necessary to ensure a successful initiative. Those that forge ahead without analysis and planning may find that they missed opportunities to converge their risk and compliance programs, their business processes were not ready for automation, the new technology doesn’t work as anticipated, and timelines for completion can’t be met. In fact, without proper planning, companies may not be using GRC tools to their full potential and realizing the value promised to management and key stakeholders.
Reporting to the Board on Corporate ComplianceResolver Inc.
Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.
Events which massively impact your reputation need to be managed upfront. But which events can can harm you so much? is it the small events that get out of control or the large rare events that you have missed? I am proposing a method which can help you understand where you have weaknesses and help focus your efforts.
WHEN Group is a holding company comprised of SG 77, Inc./RNA Ltd, which develops and significantly improves existing cybersecurity solutions in the B2C and B2B marketplace. WHEN Group develops new systems by applying pattern recognition technology based on IOT / mobile / servers and computer activity, analyzing human and device behavior, relationships and BPM (Business Process Management) in order to automatically identify and prevent potential danger to individuals and companies. The B2C Cybersecurity division targets families concerned with external cyber threats and exposures in addition to monitoring a child's behavioral patterns that may alert parents to potential tragedies caused by cyberbullying, pedophiles, other predators, and depression. The B2B Cybersecurity system software development and implementation company is focused on innovative solutions for the constantly evolving cyber challenges of businesses, non-governmental organizations (NGOs) and governmental entities. By deploying a highly experienced development team, RNA Ltd. anticipates both internal and external cyber threats, by identifying behavioral patterns that flag potential cyber compromises.
Cybersecurity Incident Management PowerPoint Presentation Slides are designed for information technology experts. Our data security PowerPoint theme combines high-quality design with info accumulated by industry experts. Represent the present situation of the target organization’s information security management using our patterned PPT slideshow. The innovative data visualizations aid in compiling data such as the analysis of the current IT department with considerable convenience. Communicate the cybersecurity framework roadmap and kinds of cyber threats with the help of this PowerPoint layout. Demonstrate the cybersecurity risk management action plan through the tabular format included in this PPT presentation. Illustrate the cybersecurity contingency plan. Our information security management system PowerPoint templates deck helps you in defining risk handling responsibilities of your personnel. Elucidate the role of the management in successful information security governance. Our PPT deck also outlines the costs involved in cybersecurity management and staff training. Showcase an impact analysis with a dash of visual brilliance. Smash the download button and start designing. Our Cybersecurity Incident Management PowerPoint Presentation Slides are topically designed to provide an attractive backdrop to any subject. Use them to look like a presentation pro. https://bit.ly/2UPqMhg
When implementing change, there are significant risks that can cost millions in potential disruption. Learn how to assess the three risk categories and develop strategies to mitigate risk by downloading our whitepaper: Integrated Risk Analysis.
Resolver’s new platform, Core, is something you’ll hear a lot about over the next few days. This presentation provides an introduction to the foundations of Core, the applications that sit on top of Core, and the various use cases they address.
With the global financial crises finally settling, everyone – from government sectors, industries, consumers - has noticeably shifted their focus on how to prevent such a crisis from occurring again. As a result, a deluge of well-intentioned regulations that contribute to improving corporate transparency and risk management have been formulated. However, business needs to be reassessed in view of complexity, overlapping controls, and an increased level of scrutiny estimated to arise with this deluge of new regulations being implemented. Frameworks and methodologies for IT’s best practices that comprise of ISO 27001 and ISO 27002 offer a roadmap and strategy that organizations require, however, they need to be implemented and executed appropriately in accordance with the standard regulations.
Furthermore, an Information Risk Management methodology helps in prioritizing security investments. It concentrates on the critical information and key business advantages that highlight security investments based on the risk associated with data and other corresponding activities, in relation to the potential business reward, and also ensure repeatability. At this point, organizations often turn to frameworks like ISO 27002 and the PCI Data Security Standard.
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
This submission examines the emerging need of the Chief Information Security Officer (CISO) to include the associated roles and responsibilities. One of the key artificacts associated with the CISO shall be detailed such as the security plan.
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
Organizations seeking a risk management solution may have trouble identifying a collaborative integrated platform that fits their needs. A good Risk Management Solution will scope potential risks and assess its impact on the enterprise goals and objectives. Here are the critical capabilities of a good risk management solution.
To learn more, visit: https://bit.ly/3vQ4DjC
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
In a rapidly changing world, companies struggle to keep up with constantly shifting compliance and risk exposure, both external and internal. Regulatory pressure and increasing executive demand for risk insight present evolving challenges for risk, audit, and compliance professionals who are being asked to do more with less. Governance, Risk, and Compliance (GRC) tools help organizations integrate their assurance activities across the three lines of defense, enable more efficient and effective assurance programs, and ultimately sustain the programs. Companies at the beginning of the GRC technology implementation lifecycle often fail to think through all of the components and key activities necessary to ensure a successful initiative. Those that forge ahead without analysis and planning may find that they missed opportunities to converge their risk and compliance programs, their business processes were not ready for automation, the new technology doesn’t work as anticipated, and timelines for completion can’t be met. In fact, without proper planning, companies may not be using GRC tools to their full potential and realizing the value promised to management and key stakeholders.
Reporting to the Board on Corporate ComplianceResolver Inc.
Boards of directors are expected to provide oversight and challenge for the compliance program. To assist them, compliance professionals need to provide more sophisticated reporting based on observable facts. Fortunately, this is one of the biggest payoffs of the Resolver regulatory compliance management tool. Learn how Resolver can facilitate your board reporting and align to the challenges of a modern regulatory environment.
Events which massively impact your reputation need to be managed upfront. But which events can can harm you so much? is it the small events that get out of control or the large rare events that you have missed? I am proposing a method which can help you understand where you have weaknesses and help focus your efforts.
WHEN Group is a holding company comprised of SG 77, Inc./RNA Ltd, which develops and significantly improves existing cybersecurity solutions in the B2C and B2B marketplace. WHEN Group develops new systems by applying pattern recognition technology based on IOT / mobile / servers and computer activity, analyzing human and device behavior, relationships and BPM (Business Process Management) in order to automatically identify and prevent potential danger to individuals and companies. The B2C Cybersecurity division targets families concerned with external cyber threats and exposures in addition to monitoring a child's behavioral patterns that may alert parents to potential tragedies caused by cyberbullying, pedophiles, other predators, and depression. The B2B Cybersecurity system software development and implementation company is focused on innovative solutions for the constantly evolving cyber challenges of businesses, non-governmental organizations (NGOs) and governmental entities. By deploying a highly experienced development team, RNA Ltd. anticipates both internal and external cyber threats, by identifying behavioral patterns that flag potential cyber compromises.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
So, you have a continuity plan and perhaps even think you have resiliency covered? Think again!
About more than just theoretical “best practices”, the deck was originally presented as a key note for CPM West 2007. It covers the semenal role of strategic vision and the vital importance of executives’ risk exposure perspective. Practicioners’ and senior executives’ eyes alike are opened to the realities of what it takes to be truly prepared and capable of responding in an all-hazards approach as an integral part of enterprise-wide risk management (ERM). This presentation looks at pragmatic cures for the “hardening of the attitudes” disease prevalent in too many boardrooms that results in the 10 most common mistakes corporate and governmental entities at all levels face when attempting to plan and implement viable resiliency programs.
Ted Alexander of Magellan Asset Management discusses the investment implications of 8 predictions in artificial intelligence, with a focus on healthcare.
Ted delivered his presentation at 'The Future of Financial Advice', the Booster Financial Adviser Conference 2016 in Wellington, New Zealand on 4 November 2016.
Document Security Systems (DSS) is a multinational company operating businesses focused
on brand protection technology, blockchain security, direct marketing, healthcare, real estate,
and securitized digital assets. Its business model is based on a distribution sharing system in
which shareholders will receive shares in its subsidiaries as DSS strategically spins them out
into IPOs. Its historic business revolves around counterfeit deterrent and authentication
technologies, smart packaging, and consumer product engagement. DSS is led by its seasoned
leaders with decades of industry experience.
Document Security Systems (DSS) is a multinational company operating businesses focused
on brand protection technology, blockchain security, direct marketing, healthcare, real estate,
and securitized digital assets. Its business model is based on a distribution sharing system in
which shareholders will receive shares in its subsidiaries as DSS strategically spins them out
into IPOs. Its historic business revolves around counterfeit deterrent and authentication
technologies, smart packaging, and consumer product engagement. DSS is led by its seasoned
leaders with decades of industry experience.
Automating Data Analysis with Excel Bio-IT World 2018Brian Bissett
Automating Data Analysis with Excel was a Short Course Prepared for Bio-IT 2018 and Presented by Brian Bissett at Bio-IT World Conference on May 15, 2018 in Boston, MA.
Data Analytics of Strategic Information Technology Asset ReviewsBrian Bissett
Data Analytics of Strategic Information Technology Asset Reviews in the Office of Investment Management (OIM) Component ofat the Social Security Administration (SSA).
ElogDoct: A Tool for Lipophilicity Determination in Drug Discovery. 2. Basic ...Brian Bissett
I received a nice acknowledgement in this paper.
ElogDoct: A Tool for Lipophilicity Determination in Drug Discovery. 2. Basic and Neutral Compounds
Franco Lombardo, Marina Y. Shalaeva, Karl A. Tupper, and Feng Gao
Molecular Properties Group and Mathematical and Statistical Sciences Group, Pfizer Global Research and Development
ElogPoct: A Tool for Lipophilicity Determination in Drug DiscoveryBrian Bissett
ElogPoct: A Tool for Lipophilicity Determination in Drug Discovery
Franco Lombardo,Marina Y. Shalaeva, Karl A. Tupper,Feng Gao, and Michael H. Abraham
Molecular Properties Group and Mathematical and Statistical Sciences Group, Central Research Division,
Pfizer Inc., Groton, Connecticut 06340, and Department of Chemistry, University College London, 20 Gordon Street,
London, United Kingdom WC1H OAJ
Physicochemical Profiling In Drug ResearchBrian Bissett
Physicochemical and Biological Profiling in Drug Research ElogD(7.4) 20,000 Compounds Later: Refinements, Observations and Applications
Franco Lombardo, Marina Y. Shalaeva, Brian D. Bissett and Natalya Chistokhodova.
Molecular Properties Group, PGRD Groton Laboratories, Groton, CT 06340, U.S.A.
Addressable Location Indicator Apparatus and MethodBrian Bissett
Addressable Location Indicator Apparatus and Method. Patent for device which provides audio and visual location indicators when triggered by a 911 call or other event.
Bio-IT World 2009: Adjusting Information Flow from In-house HTS to Global Out...Brian Bissett
Adjusting Information Flow from In-house HTS to Global
Outsourcing Partners
Brian Bissett , Staff Scienti st, Molecular Properti es, Pfi zer
This talk will describe the benefi ts and pitf alls of working with a single supplier for screening
services, methods for determining if reliable data is being generated by an outsourcing partner,
and various mechanisms of acti on for manipulati ng, transferring, and integrati ng data into the
corporate environment from a foreign entity.
Chemists need numerous measurements quickly to assess the potential of a given compound within a therapeutic area. Instrumentation is expensive and of limited availability in even the most well funded organizations. The ability to share instrumentation helps mitigate equipment costs but poses special challenges to allow access and use by everyone across an organization. A solution to create open access purification equipment is presented using a Z180 microprocessor, touch screen interface, and an embedded system program written in C.
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfGetInData
Recently we have observed the rise of open-source Large Language Models (LLMs) that are community-driven or developed by the AI market leaders, such as Meta (Llama3), Databricks (DBRX) and Snowflake (Arctic). On the other hand, there is a growth in interest in specialized, carefully fine-tuned yet relatively small models that can efficiently assist programmers in day-to-day tasks. Finally, Retrieval-Augmented Generation (RAG) architectures have gained a lot of traction as the preferred approach for LLMs context and prompt augmentation for building conversational SQL data copilots, code copilots and chatbots.
In this presentation, we will show how we built upon these three concepts a robust Data Copilot that can help to democratize access to company data assets and boost performance of everyone working with data platforms.
Why do we need yet another (open-source ) Copilot?
How can we build one?
Architecture and evaluation
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
Analysis insight about a Flyball dog competition team's performanceroli9797
Insight of my analysis about a Flyball dog competition team's last year performance. Find more: https://github.com/rolandnagy-ds/flyball_race_analysis/tree/main
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Discussion on Vector Databases, Unstructured Data and AI
https://www.meetup.com/unstructured-data-meetup-new-york/
This meetup is for people working in unstructured data. Speakers will come present about related topics such as vector databases, LLMs, and managing data at scale. The intended audience of this group includes roles like machine learning engineers, data scientists, data engineers, software engineers, and PMs.This meetup was formerly Milvus Meetup, and is sponsored by Zilliz maintainers of Milvus.
Adjusting OpenMP PageRank : SHORT REPORT / NOTESSubhajit Sahu
For massive graphs that fit in RAM, but not in GPU memory, it is possible to take
advantage of a shared memory system with multiple CPUs, each with multiple cores, to
accelerate pagerank computation. If the NUMA architecture of the system is properly taken
into account with good vertex partitioning, the speedup can be significant. To take steps in
this direction, experiments are conducted to implement pagerank in OpenMP using two
different approaches, uniform and hybrid. The uniform approach runs all primitives required
for pagerank in OpenMP mode (with multiple threads). On the other hand, the hybrid
approach runs certain primitives in sequential mode (i.e., sumAt, multiply).
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
IT Security Metrics
1. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 1
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Darkness Falls Fast
Developing Actionable Security Metrics
to Protect Enterprises
Brian Bissett
Department of the Treasury
Bureau of Fiscal Service
Bio-IT World Conference 2021
2. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 2
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Good Metrics
Irrespective of industry or initiative, a good metric will be:
Specific
Relevant
Repeatable (Results fall within an acceptable margin of
error when run under identical circumstances)
Aligned with business goals, quantitative, demonstrate
controllability, and can be control charted (trendable).
A Leading indicator with defensible causal relationships to
business outcomes.1
Objective and bear a clear relationship to the business of
the enterprise and its goals with context and meaning.
Low in overhead.
3. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 3
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Great Metrics
A Great Metric will:
Immediately convey whether a situation is good or bad,
normal or abnormal.2
Provide insight into business implications.
Objective and bear a clear relationship to the business
of the enterprise and its goals with context and
meaning.
Composed of cardinal numbers: ratios, absolute
numbers, or percentages.3
Articulate what is most important to the organization.
Have a first-order cause-and-effect relationship (ideal).
4. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 4
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
The Element of Time
Forrester Research - enterprises need a mixture of
metrics that lag, lead, and are coincident to the
enterprise.4
Gartner’s recommendation (Rule Number 4) “Choose
Metrics that are forward looking” for security contexts.5
So who is right?
Leading or Forward-Looking metrics are most valuable to
an organization. Such metrics are speculation based on
past performance, expert opinion, and other factors
subject to debate and error.
Expert opinion lies at the bottom of the hierarchy of
evidence. This makes Gartner’s recommendation very
controversial.
5. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 5
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Leading, Lagging, or Coincident?
A lagging metric will highlight the results of past
decisions.
A coincident or real time metric will provide a snapshot
of the current situation.
Leading indicators provide predictive data points.
Past performance may be the single best predictor of
future behavior, but:
Trends do not continue forever, they will reach an asymptotic
limit, “burn out”, or crash or spike due to a supply issue.
Future behavior is modeled on parameter estimation from
expert opinion, and “experts” are frequently wrong.
Everyone is subject to conformational bias.
6. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 6
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Cisco Metric Types
The Cisco framework utilizes two types of metrics6:
1. A ratio or percentage type measurement (typically a
pass/fail type of metric)
2. An on-time correction metric (measures if a
vulnerability was rectified in the time allotted for its
closure)
3. Federal Standards are* (Usually – exceptions exist)
* Binding Operational Directive 19-02.
Severity Rectification Time Limit
Critical 15 Days
High 30 Days
Moderate 30 Days
7. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 7
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Cisco Vulnerability Metric Framework
The Cisco Vulnerability Metric Framework divides
vulnerabilities into three categories: technology, process,
and people.
1. Technology - factors such as antimalware compliance,
stack compliance, application security weaknesses, and
open security exceptions.
2. Process - weaknesses in the architecture of the
enterprise and the processes that allow access to the
enterprise
3. People - security awareness of the people who have
access to the enterprise
8. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 8
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Cisco “maturity level” for metrics
Cisco defines a “maturity level” for metrics
Order from least to most is:
Ad hoc
Reactive
Proactive
Predictive
L
E
A
S
T
M
O
S
T
9. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 9
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Common Industry Metrics7
IT security spending as a percent of total IT spending:
=
𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
𝑡𝑜𝑡𝑎𝑙 𝐼𝑇 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
x 100
the relative level of investment to support the security
of the enterprise from the perspective of the total IT
portfolio.
IT security spending per employee
=
𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
𝑇𝑜𝑡𝑎𝑙 𝑒𝑚𝑝𝑙𝑜𝑦𝑒𝑒𝑠
insight on the level of investment the enterprise is
making to develop and maintain both security
conscious employees and the protection of the
environments they work within.
10. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 10
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Common Industry Metrics II7
IT security spending per thousand dollars of revenue:
=
𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
𝑡𝑜𝑡𝑎𝑙 𝑟𝑒𝑣𝑒𝑛𝑢𝑒 1000
The metric is a ratio and the denominator is expressed in
thousands to prevent the value of the metric from being a
very small number.
Security spending distribution by functional area:
=
𝐴𝑟𝑒𝑎 𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
𝑇𝑜𝑡𝑎𝑙 𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑠𝑝𝑒𝑛𝑑𝑖𝑛𝑔
Indicates types of investments the enterprise is making.
Mapping of where resources are being applied relative to
operational risk and agency strategic plans.
Snapshot of tradeoffs made, and the winners and losers.
11. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 11
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Human Capital7
Measure of IT security support intensity from a human
capital perspective.
IT security FTEs as percentage of Total Employees:
𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝐹𝑇𝐸𝑠
𝑇𝑜𝑡𝑎𝑙 𝐸𝑚𝑝𝑙𝑜𝑦𝑒𝑒𝑠
x 100
IT security FTEs as percentage of Total IT FTEs:
𝐼𝑇 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝐹𝑇𝐸𝑠
𝑇𝑜𝑡𝑎𝑙 𝐼𝑇 𝐹𝑇𝐸𝑠
x 100
Assists in determining if staff size for the enterprise is
appropriate.
Can also granulate to personnel in Common Areas such
as: Identity and Access Management, Network Security,
End Point Security, and Data Security.
12. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 12
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Human Capital by Function Area
IT Security staffing distribution by functional area indicates
personnel investments by functions.
Common Functional Areas Include:
Identity and Access Management
Network Security
End Point Security
Data Security
Governance
Risk
Compliance Management
The distribution of operational infrastructure security
staffing by task provides an understanding of how security
FTEs are dispersed to support the technology
environments.
Tend to be Personnel Intensive
Significant Qualitative Factors.
13. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 13
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Limitations of Existing Metrics
Existing security metrics exhibit a low level of
correlation with vulnerabilities and attacks.
Often, they fail to provide an adequate assessment of
security.
The number of vulnerability exploits is not proportional
to the total number of vulnerabilities discovered in a
Windows operating system.
There is no apparent correlation between the number
of vulnerabilities discovered, and the size of the OS
code.
This suggests the existence of deployment-specific
factors, yet to be characterized systematically, that
influence the security of systems in active use.
14. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 14
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Commonly Neglected Metrics
Coverage – the type of scanning. agent based,
authenticated with a username and password, or
unauthenticated?
Vulnerability Dwell Time – the time a known
vulnerability remains active on an enterprise.
Average number of Vulnerabilities per Asset over time
– measure vulnerabilities over a continuous period of
time. Do not rely on scan results which may have not
seen all the assets during a scan and reflect drops that
in actuality are simply deviations (scanning gaps).
Remediation of vulnerabilities vs. SLAs – How quickly
an organization or its agents successfully remediate its
vulnerabilities demonstrates program effectiveness.
(Especially for Cloud based Assets).
(but important)
15. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 15
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Novel New Metrics
Symantec Research Labs and The University of
Maryland at College Park have proposed new security
metrics which are measured in the deployment
environment.
Once a system is deployed, security becomes a moving
target as attackers exploit new vulnerabilities (to
subvert the system's functionality), vendors distribute
software updates (to patch vulnerabilities and improve
security), and users reconfigure the system to add
functionality.
The following four new metrics are derived from field-
gathered data and thus capture the state of system
security as experienced by the end users.
16. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 16
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Vulnerabilities Exploited in Wild
𝑉𝑝𝑒𝑥 = A count of vulnerabilities exploited in the wild.8
For a product 𝑝, it obtains the subset of a product's
disclosed vulnerabilities that have been exploited in the
wild.
Prior research has suggested that these signatures
represent the best indicator for which vulnerabilities are
exploited in real-world attacks.
Metric combines information from the National
Vulnerability Database (NVD) and Symantec’s databases of
attack signatures to obtain the subset of a product’s
disclosed vulnerabilities that have been exploited.
The NVD is a public vulnerability is a database of software
vulnerabilities which is widely accepted for vulnerability
research.
17. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 17
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Exploitation ratio
The exploitation ratio is the proportion of disclosed
vulnerabilities for a product p that have been exploited up
until time t.8
𝐸𝑅
𝑝
𝑡 =
𝑉
𝑝
𝑒𝑥
(𝑡)
𝑉
𝑝(𝑡)
It captures the likelihood that a vulnerability will be
exploited at time t.
Ratio is time dependent.
18. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 18
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Attack Volume
Attack Volume is a measure of how frequently a
product p is attacked.8
𝐴𝑉
𝑝
Intuitively, it is the average number of attacks
experienced by a machine in a month due to a product
p being installed.
It is the number of attacks that exploit a vulnerability of
p against hosts with p installed, normalized by the total
number of machine-months during which p was
installed.
19. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 19
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Exercised Attack Surface
The exercised attack surface captures the portion of
theoretical attack surface of a host that is targeted in a
particular month.8
𝐸𝐴𝑆ℎ
𝑝
(𝑚)
Intuitively, the exercised attack surface is the number of
distinct vulnerabilities that are exploited on a host h in
a given month m.
The exercised attack surface attributable to a particular
product can be computed for a particular time interval
depending upon situational awareness required.
20. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 20
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
CVSS Vulnerability Measurement
Vulnerability measurement remains one of the most
popular areas for metric development.
The Common Vulnerability Scoring System (CVSS) was
designed to provide an overall composite score
representing the severity and risk of a vulnerability.9
The CVSS score is derived from metrics and formulas.
Metrics are in three distinct categories that can be
quantitatively or qualitatively measured.
Base metrics contain qualities that are intrinsic to any given
vulnerability that do not change over time or in different
environments.
Temporal metrics contain vulnerability characteristics which evolve
over the lifetime of vulnerability.
Environmental metrics contain those vulnerability characteristics
which are tied to a specific implementation in an enterprise.
21. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 21
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
The 7 CVSS Base Metrics9
1. Access Vector (AV) is the vulnerability is exploitable locally or remotely?
2. Access Complexity (AC) the complexity of attack required to exploit the
vulnerability once access gained to the target system (high or low).
3. Authentication (A) does an attacker need to be authenticated to the
target system in order to exploit the vulnerability?
4. Confidentiality Impact (CI) the impact on confidentiality of a successful
exploit of the vulnerability on the target system. (None, partial or
complete)
5. Integrity Impact (II) impact on integrity of a successful exploit of the
vulnerability on the target system. (None, partial or complete).
6. Availability Impact (AI) measures the impact on availability of a
successful exploit of the vulnerability on the target system. (None,
partial or complete).
7. Impact Bias (IB) allows a score to convey greater weighting to one of
the three impact metrics over the other two.
22. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 22
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
CVSS Temporal & Environmental10
Temporal Metrics represent time dependent features of
the vulnerability under the CVSS framework are:
1. Exploitability (the difficulty involved in exploiting the
vulnerability).
2. Remediation level (the maturity level of a fix).
3. Report confidence (the credibility of the threat).
Environmental Metrics represent the implementation and
environment specific features of vulnerability under the CVSS
framework are:
1. Collateral Damage Potential (CDP), measures the potential
for a loss of physical equipment, property damage, or loss
of life or limb. (None, low, medium, or high).
2. Target Distribution (TD), measures the relative size of the
field of target systems susceptible to the vulnerability.
(None, low, medium, or high).
23. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 23
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
A Novel Vulnerability Method
Moving Averages can help discern when Vulnerability
growth exceeds historical norms.
A short term moving average and a long term moving
average is calculated for the enterprise.
When the short term moving average crosses the
long term moving average on the Y-Axis in the
positive direction , it is indicative of faster than
normal vulnerability growth and/or a lack of
sufficient remediation.
When the short term moving average crosses the
long term moving average on the Y-Axis in the
negative direction , it is indicative of successful
vulnerability remediation efforts to restore norms.
24. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 24
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Moving Average Flags
Exceeding Norms
Restoration to Norms
25. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 25
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Moving Average Considerations
The short and long term moving average intervals
(windows) must be set appropriately, taking into
consideration vulnerability severity.
The more severe the vulnerability, the smaller the short
term moving average interval (window) should be.
The short term window should not exceed the required
remediation time for the severity of the vulnerability.
Baseline creep is a reality when utilizing the moving
average technique.
The baseline tends to deviate from its starting norms
with time, often upward.
This can be adjusted for with hard stop upper and
lower control limits based on historical norms.
26. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 26
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Balanced Scorecards
Robert Kaplan and David Norton of Harvard University
developed a concept called the “Balanced Scorecard.”11
Adapted to security, the Balanced Scorecard helps bridge
the gap between information security and management.
The Center for Internet Security (CIS) has defined twenty
eight significant metrics that encompass seven business
functions. The seven business functions are incident
management, vulnerability management, patch
management, configuration management, change
management, application security, and financial metrics.12
The Center for Internet Security advocates security
scorecards with only three main sections: Impact,
Operations, and Financial.
27. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 27
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Forrester Best Scorecard Practices
Forrester Research recommends that seven or fewer
metrics be used when presenting metrics on a
scorecard to senior executives.13
Scorecards be updating be automated.
Do not rely solely on absolute numbers, Forrester
advocates tracking proportions as well.
Forrester lists six categories to track in Balanced
Security Scorecards.
1) demographics; 2) security; 3) compliance; 4)
administration cost and efficiency; 5) business agility
and service delivery; and 6) customer-facing Identity
and Access Management.
28. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 28
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
Wrap Up
There exist a plethora of metrics to discern situational
awareness the state of IT Security within an enterprise.
Significant gaps in awareness exist with many of the
more commonly used metrics, while some commonly
neglected metrics frequently tell a more holistic story.
Not all metrics are applicable to every enterprise, and
customized metrics and/or parameterization may be
necessary depending on organizational needs.
Recognize Metrics which measure “what got you here”
may not facilitate getting to the next goal post.
Metrics are frequently time dependent and have
boundary conditions, determine these limitations.
29. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 29
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
References
1. Paul Proctor, Jeffrey Wheatman, Rob McMillan. “Develop Key Risk Indicators
and Security Metrics That Influence Business Decision Making.”, Page 1,
(Gartner Research. ID G00276149. 31 July 2015.)
2. Rob McMillan. “Sharpen Your Security Metrics to Make Them Relevant and
Effective.”, Page 6, (Gartner Research. ID G00259303. Refreshed 5 December
2016, Published 13 May 2014.)
3. Rob McMillan. “Five Required Characteristics of Security Metrics.”, Page 2,
(Gartner Research. ID G00245748. Refreshed 3 March 2017, Published 5
December 2012.)
4. Stephanie Balaouras, Laura Koetzle, Chase Cunningham, Jeff Pollard, Heidi
Shey, Bill Barringham, Peggy Dostie. “Craft Zero Trust Security Metrics That
Matter To Your Business, Performance Management: The Security
Architecture and Operations Playbook.”, Page 4, (Forrester Research. March
27, 2018.)
5. Jeffrey Wheatman, Rob McMillan. “Apply Five Rules to Your Security
Metrics.”, Page 8, (Gartner Research. ID G00341872. 7 November 2017).
6. Gerwin Tijink, Hessel Heerebout. “Unified Security Metrics”, Page 5, Cisco
White Paper. C11-737409. 2016.
7. Stegman, “IT Key Metrics Data 2019", Page 21, (Gartner Research. ID
G00375660).
30. L E A D ∙ T R A N S F O R M ∙ D E L I V E R
Page 30
Disclaimer: Not an official spokesperson for Treasury. The views expressed herein by the author do not necessarily reflect the views of Treasury. The information
provided is of a general, broad, and wide-spread nature, and only a competent authority with specialized knowledge of your unique environment can address the
specific circumstances of your situation.
References
8. Kartik Nayak, Daniel Marino, Petros Efstathopoulos, Tudor Dumitras. “Some
Vulnerabilities Are Different Than Others Studying Vulnerabilities and Attack
Surfaces in the Wild.”, Pages 1-2, (University of Maryland, College Park.
Symantec Research Labs. International Symposium on Research in Attacks,
Intrusions and Defenses 2014. 17 September, 2014.)
9. Victor-Valeriu Patriciu, Iustin Priescu, Sebastian Nicolaescu, “Security Metrics
for Enterprise Information Systems”, page 153, (Journal of Applied
Quantitative Methods, Vol 1, No.2, Winter 2006).
10. Wayne, Jansen, Directions in Security Metrics Research, Page 8, (Computer
Security Division, Information Technology Laboratory, National Institute of
Standards and Technology. NISTIR 7564. April 2009).
11. Andrew Jaquith. “Proving Your Worth: Follow These Steps to Create a
Successful Security Metrics Program.”, Page 31, Information Security. March
2010.
12. “The CIS Security Metrics.”, Page 8, (The Center for Internet Security.
November 1, 2010.)
13. Andras Cser, Merritt Maxim, Stephanie Balaouras, Madeline Cyr, Bill
Barringham, Peggy Dostie. “Develop Actionable Business-Centric Identity And
Access Management Metrics, Performance Management: The Identity And
Access Management Playbook.”, Page 5, (Forrester Research. July 27, 2018.).