Update: My apologies to anyone who read the previous when it was microscopic text. I didn’t pay attention to the cut-and-paste effect from email to blog.
I am on a mailing list that discusses Security Metrics. Here are some I have thrown out there. Comments, anyone?
Value-Based Metrics
- IAV (Information Asset Value): dollar amount of how much info assets are worth. Since most people appear concerned about valuing assets I have two prescriptions: 1) read Kenneth Feinberg’s "What is Life Worth?" to realize that EVERYTHING can be valued, and it only has to be "right" to the people involved; and 2) use IT Spending as a placeholder and potentially change the word "value" to "cost." (This is sort of like balance sheet stuff).
- Transaction Value: dollar amount of revenue/spend occurring in total (and later, average, std deviation, etc.).
- Transactions: (I count flows, sessions, program operations, and data transactions). Used to understand the volume of activity that occurs online within the context of human usage and value.
- Number of IP Addresses: undeveloped… need some measurement of size, I think. Could be IP Addresses, ports, processors, units (clients, servers, databases, applications, etc..) or all…
Control-Related Metrics
- Attack Rate: the number of good events in between every bad event. This number would assert, for example, that 1 of every 250,000 events is an attack. This can then be broken down into attack types like the ones Counterpane recently released.
- Control Coverage: a metric that addresses the breadth of a control. For example, 95% control coverage means that 5% of the activity in an environment associated with that control is not evaluated.
- CPTs (Controls per transaction): the average number of control events being applied to any single transaction. This applies to inline "gateway" controls like authentication, user access control, system access control, nips, hips that evaluate activity and either allow it or deny it.
- Exposure Index: the total number of attackable items for any given resource. This may be as simple as open ports or as complex as some derivative of Howard/Wing’s RASQ. It also relates to control coverage, sort of like potential vs. kinetic energy.
- CPC (Cost per control): a dollar measure that divides the total security spend by the total CPTs above.
Incident Metrics
- Control Success Rate: (Total controlled events minus false positives plus false negatives) all over total controlled events.
- Prevention Rate: % of attacks that don’t result in incidents
- Risk Aversion Rate: Number of false positives / number of false negatives. As measured by help desk calls (failed login by legitimate person is a "false positive", by my definition) Divide by zero = total aversion.
Security Metrics Discussion
One of the main problems in computer security is a lack of agreed upon metrics for measurement and resource allocation purposes, this inhibits the ability to make progress. Pete Lindstrom has posted an interesting decomposition of the security metrics …
Useful list for starters. But what is the intended use/purpose of these metrics?
One of the possible uses of value-based metrics is to drive pricing of security products and services – in other words, payment by results. (Both for cross-charging within a single organization, and for billing between organizations.)
Do you have any experience of this?
Hi, Richard -
The list is intended for use by security professionals in enterprises to properly assess the relative strength/weakness of their programs.
Value-based pricing is an interesting use case, but not one I intended. I will have to think about how it might work. At this stage, it isn’t practical simply because nobody is really doing anything like this in enterprises.