Category Archives: Security Metrics

Are Cybersecurity Intelligence and Security Metrics Statistically Significant?

– It is customary to begin an article on cybersecurity with some statement about the exponential growth of threats, attacks, vulnerabilities, etc. I’m no different. It seems like a reasonable, generally accepted thing to do. So, I was somewhat surprised when someone pushed back on such a statement…

Security Metrics and Tesla’s Safety Statistics

– I have long railed against the inadequacy of popular easy-to-record security metrics. They usually lack critical information about the nature and severity of vulnerabilities and are therefore misleading in providing support for decision-making. I addressed this point in my article “Accounting…

More Password Folly

– This is the season when we usually learn about the list of the most popular—and hence vulnerable—passwords … and this year is no exception. From evaluating “millions of leaked passwords,” Splashdata determined which were the most easily hacked. Topping the list is “123456,” followed…

Lies, Bigger Lies … and Cybersecurity Analytics

– The original phrase “lies, damned lies, and statistics” is attributed to Mark Twain. There have been several books using this phrase in their titles. It always stuck in my mind and has been reinforced over the years with validating experience. There is an article in the October 2018 issue of…

Security Metrics, Application Security and Cancer Research

– I would not have thought that there would be a relationship among security metrics, application security and cancer research until I read an article in the Sunday Magazine section of the June 17, 2018 New York Times by Siddhartha Mukherjee with the lengthy title “A way of thinking about cancer…