Measuring Computer Security

Summary:Metricon 1.0 took place in Vancouver earlier this month.

Metricon 1.0 took place in Vancouver earlier this month. I wasn't able to be there in person, but I've been reviewing the material that the conference produced. The premise of the conference is pretty simple: we need better metrics for computer security.

Andrew Jaquith of the Yankee Group and Steven Bellovin of Columbia University delivered keynotes that took a point-counterpoint approach on metrics.

You can access all the slides from the presentations individually. It can often be difficult to make sense of a talk purely from the slides, but I found Tim Geer's presentation to a USENIX session the day before Metricon to be very readable and informative. Tim includes notes on many of the slides and that helps. Be warned, it's very long (346 slides).

In setting up the whole discussion, Tim mentions an interchange with a CISO of a major Wall Street bank who said "Are you security people so stupid that you cannot tell me...."

  • How secure am I?
  • Am I better off than this time last year?
  • Am I spending the right amount of $$?
  • How do I compare to my peers?
  • What risk transfer options do I have?

Every other part of the bank could answer similar questions to five digit accuracy, so why couldn't security professionals?

An article in CSO Online goes over five measurements from Andrew Jaquith that you could use right now in your business (see the article for details):

  1. Baseline Defenses Coverage (Antivirus, Antispyware, Firewall, and so on)
  2. Patch Latency
  3. Password Strength
  4. Platform Compliance Scores
  5. Legitimate E-Mail Traffic Analysis

Geer mentions these and others in his presentation. These are informative without being overly complex. That said, Jaquith isn't fond of overly simplistic models based on red, yellow, and green dots as substitutes for real data.

I've found over and over again that people pay attention to what you measure. That's good and bad. If you measure the wrong thing, people will pay attention tot he wrong thing. But by carefully picking metrics and putting in place a methodology for generating and reviewing them, you can go a long way toward helping an organization pay attention to what matters.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.