Pete Lindstrom dreams a dream of security metrics, imagine an organization that presents a clear, concise and regular report such as the below:
"Last month, our IT and information assets generated $20 million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75 percent success rate) and we identified 1,700 suspect connections that required further analysis. We ultimately determined that five of those 1,700 were attempted intrusions which we subsequently acted upon according to established procedures. There were no losses associated with the incidents."
I strongly agree with Pete's idea that metrics should focus on assets, value and transactions. For most enterprise and Web systems these is the lifeblood and security should viewed in this context.
Metrics around threats, vulnerabilities, controls, and response are only useful when in service of the assets, value, and transactions. Because threats, vulnerabilities, controls and response comprise most of what infosec people do, its natural this is what they seek to measure, but these micro metrics need to be incorporated into a larger view.
Comments