Comments on: Thinking Strategically about Information Security Metrics

By: Pete

Pete — Tue, 09 Jun 2009 23:39:04 +0000

@Brad -

Incidents by definition or successful attacks and are within our control to the extent that our control infrastructure works to minimize them. If they are entirely out of our control, we wouldn’t have a profession (or a job).

It is okay to be skeptical, but I recommend not giving up without looking a bit more closely, and with fewer analogies.

Thanks for the comment,

Pete

By: Brad Andrews

Brad Andrews — Tue, 09 Jun 2009 22:05:28 +0000

I am not sure metrics are this simple. Incidents are totally outside your control, unless you limit those to “successful incidents.” While you can do some things to secure your border, for example, you cannot control when a new Worm is released or when someone decides to DoS your servers.

Applying these to other areas, like manufacturing or software development, has a lot more of the metrics under the control of the individual. Many areas even know the industry values for many things. Auto mechanics have a book that tells how long a given repair should take.

I don’t see how we are ever going to get to that state since we don’t have a repeatability to many things here, especially the incidents as I discussed above.

That makes me wonder if the whole focus on metrics is ultimately a waste of time….

Brad

By: PhilA

PhilA — Sun, 05 Apr 2009 07:19:49 +0000

Pete,

As always, a good post. Can you bring this to more practical terms?

What would your Infosec approach for metrics be at a technology manufacturing company or an Online business?

Thanks,
PhilA