In my recent article on metrics, I alluded to the challenges of measuring risk and security using some consistent model. I mentioned that financial services and insurance companies have been building and analyzing risk profiles for many years and using them to drive investment decisions or set premiums. While every organization is going to have its own “personal” set of decision drivers based on the experience and prejudices of the actors making those decisions, the financial health and public reputation of the entity, quality of data available to decision-makers, and the industry and markets in which they operate, I have wondered whether it is possible or even desirable to have a consistent method for measuring security risk and our employer’s compliance in mitigating and managing it.
I belong to a listserver that provides extremely insightful and intellectual discussions on security metrics (discuss@securitymetrics.org). After a recent extended round of e-mails on whether there was ever a time when risk equals zero, there was a wide range of opinion on how to measure that risk with a seeming consensus however that quantification of risk, while desirable was difficult to achieve because of a lack of agreement on consistent measures. While that may be the current condition of the security metrics world due to a history of homegrown approaches, lack of mature technology and security risk models, constantly shifting and emerging threat vectors, and limited, though growing, appreciation of technology security risk on an organization’s success, ultimately we security professionals will have to lead our practices out of the current security metrics Babel and if not into a land flowing with milk and honey, at least to a place where we can more successfully benchmark effective security controls and practices.
Popularity: 1%
