Security can be measured
Security vendors have long been criticized for making grandiose claims about the efficacy of their wares. They have taken to presenting return on investment (ROI) arguments to justify the sales of their gear. In his article Security ROI: Fact or Fiction?, Bruce Schneier makes this point and further argues, quite effectively, that calculating a specific product or solution's potential ROI "is mostly bunk in practice."
I thoroughly agree. Further, I have seen vendors make a fast U-turn when a customer asks for a "guarantee" or "warranty" on the performance of the specific product in question. In my mind, any sort of ROI should be associated with a performance assurance. Or, one could equally ask the vendor, "OK, I see your ROI assumptions. Now, since you won't give me a written warranty, how much should I discount the value of your ROI proposition?" The two cannot be separated.
Bruce also makes well-reasoned cases for the use of ALE, or Annualized Loss Expectancy, a risk view of security budgeting.
My only fear is that readers might, as I did at first, come to the conclusion that security is not measurable. Far from it -- there are many additional specific data points that can contribute to the evaluation of risk and security. Some of them are indeed even derivable directly from a wide range of security products and integrated solutions.
First, I don't believe security professionals should get dragged into the endless and futile debate over the value of information. That is not our job. The value of information should be determined at the highest levels of the organization. As Bruce says, in the event of a security incident, many of those values are intangible -- customer reactions, market perception, cost to re-brand along with the more traditional event mitigation and direct consequential costs.
But we can help. A few basic concepts should help understand that some aspects of security are measurable--and meaningful--if we find a common metric. Without getting into all of the math and formulas, that metric is time. From a risk and security standpoint, time is a common theme where we can bridge other information. A few mantras:
-- A security event should be detected rapidly.
-- A detected security event should trigger an alert as quickly as possible.
-- The cyber-first-responder should react to the alarm in as close to zero-time as required by policy and the detected and evaluated severity of the threat.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by TwitterOn Twitter now
security
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
