Tag Archives: security metrics

Data security metrics

Anything can be measured. As  Bertrand Russell wrote –

All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man.

This is one of the talks I gave at our weekly Thursday seminar – register here for the Webinar

The talk discusses how data security metrics can be used in a value-based approach to security, providing examples of security metrics and a number of practical measurement techniques.  The talk also shows how security metrics are used in quantitative risk modeling in order to calculate Value at Risk of information assets and justify security investments by reducing risk at lower costs.

Tell your friends and colleagues about us. Thanks!
Share this

Security metrics anti-design patterns

I’ve been thinking recently about how most of our clients don’t collect security metrics. Then I got thinking about how there are anti-design patterns that typify firms with a higher level of vulnerability to a major data loss event.

Running security is not different from running a business – you have assets and threats, vulnerabilities and resources to protect the assets. There are widely accepted and practiced revenue models, costing models and performance metrics for businesses of all shapes and sizes, yet information security has not reached this stage of maturity. Taking two security standards as an example (ISO27001/27002 and PCI DSS 1.2) – it is clear that a well-structured list of security controls is not a substitute for measuring security control effectiveness.

So – how can we use anti-design patterns for diagnosing a firm with potential security issues?

Let’s start by looking how a typical business uses metrics.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this