From: InfoSec News (alertsinfosecnews.org)
Date: Thu May 28 2009 - 00:14:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.networkworld.com/newsletters/sec/2009/052509sec2.html

Security Strategies Alert
By M. E. Kabay
Network World
05/27/2009

One of the most difficult aspects of managing risk in information
assurance (IA) is that our statistical information is so poor. We don't
know about security breaches that we have not noticed; we don't report
all the breaches that we do notice to any central collection point; and
we use dreadful methodology for collecting information using poorly
constructed surveys that have tiny percentages of respondents, no
internal validation and no follow-up verification.

On a practical level, the question arises of just exactly what we should
be measuring (such as how to define security metrics) as ways of
understanding and managing security issues.

Dr. Gary Hinson, CISSP, CISA, CISM, MBA of Isect wrote an excellent
paper entitled "Seven myths about information security metrics" that was
originally published in the ISSA Journal in July 2006. Hinson
thoughtfully and articulately challenges these seven common assertions
(quoting the headings):

1. Metrics must be objective and tangible
2. Metrics must have discrete values
3. We need absolute measurements
4. Metrics are costly
5. You can't manage what you can't measure and you can't improve what
   you can't manage
6. It is essential to measure process outcomes
7. We need the numbers!

[...]

_____________________________________________
Visit the InfoSec News security bookstore!
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]