How do we manage what we can't measure?
One of the cornerstones of the scientific method is measurability: a focus on defining the ways of counting or measuring aspects of reality that we hope will be strongly associated with the phenomena we are trying to understand. Thus Isaac Newton learned about the details of what became a theory of gravity by measuring how fast objects fall freely – and how fast they accelerate. B. F. Skinner learned about how vertebrates learn by counting successful and unsuccessful responses to stimuli. Business managers look at measures such as profit and loss, return on investment and other numerical indications of how their organizations are performing so that they can adapt to changing circumstances.
All of these measurements are globally known as metrics.
In May 2009, I published a review of some useful resources on security metrics. I was interested to read a response by Gary Hinson, the distinguished contributor to the field about whose paper I wrote in the column. He wrote [I have added the links]:
A new book by Krag Brotby (Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement) is a worthwhile addition to the field, along with Andrew Jaquith's modern classic Security Metrics: Replacing Fear, Uncertainty And Doubt.
Today we have a contribution specifically about Jaquith's book by Brian Judd, MSIA, CISSP. My colleague John Orlando interviewed Judd about the book for this column.
* * *
JO: What are "security metrics?"
BJ: Security metrics are simply the application of standards for measuring information security attributes. The term "security metrics" may be new to information security professionals, but the use of metric data is actually quite mature. Measuring quality and the concepts of quality control played a large role in the success of the United States' industrial revolution. Unfortunately, many organizations have not yet applied security metrics to their risk-management programs.
JO: Why are security metrics important to risk management?
BJ: Without metrics, risk analyses tend to be subjective and inaccurate. This fuzziness can lead to poorly allocated budgets and unmitigated vulnerabilities. The problem is that traditional risk management strategies based on Plan-Do-Check-Act (PDCA) are often subjective and they rely on qualitative guesswork. Collecting and analyzing quantitative security metrics allows information security professionals to make objective risk-management decisions based on quantitative data, much as insurance companies have been doing for decades with actuarial data.
JO: What brought you to this methodology?
BJ: My company provides information assurance consulting and I've been asked many times to help companies develop IT risk assessments. I've always used the OCTAVE Allegro methodology. Even after hundreds of hours of interviews and documentation, I've never really been happy with the finished product. It always felt like guesswork. Then I happened on Andrew Jaquith's book "Security Metrics: Replacing Fear, Uncertainty and Doubt". The first chapter is titled, "Escaping the Hamster Wheel of Pain." Within the first few pages, he spelled out the frustration I've been feeling for years…and the best part of the book is that he solves the problem! I am a huge fan of this book and I've recommended it to everyone who feels the pains of PDCA and qualitative risk assessments.
JO: Tell us about the Webcast you will be presenting.
BJ: I will be lecturing on "Understanding and Implementing Information Security Metrics" on Tuesday, Oct. 27 at 1-2 p.m. EDT; registration is free.
Participants will learn:
o What security metrics are
o What data make for good security metrics
o How to use security metrics to…
o Diagnose and solve problems
o Measure security program effectiveness
o Dozens of sources of good security metrics
o Methods of analyzing metric data
o Methods of presenting metric data
o Where to go for more information
* * *
Brian Judd is an information assurance consultant with SynerComm's AssureIT division supporting and implementing security solutions. His experience includes conducting security audits, vulnerability assessments and penetration tests, information security policy development, risk assessment development and security awareness training. He has a Master of Science in Information Assurance (MSIA) degree from Norwich University and is a CISSP.
John Orlando, PhD, is the Program Director for the MSIA and Master of Science in Business Continuity Management (MSBC) programs in the School of Graduate Studies at Norwich University.