Page 47 - index
P. 47
security goals should be met and to drive actions in order to improve an organization’s security
program which would be effective and based on the best industrial practice. All these are
crucially important because security metrics can be seen as a key factor in controlling,
understanding and very often defending a cyber environment. They support us with a great
insight into state of cyber system and allow us to develop good defense mechanisms.
Why Generating the Metrics is so Challenging?
Well, why would be so difficult to generate the metrics? Maybe because it’s quite hard to
determine how secure some organization is. Why would these be a problem? First of all, many
would agree that the number of successful attacks cannot be an indicator how some
organization may be secure. So, how can we know something is secure? Well, that depends
mainly on luck. But, how would we measure luck? This question leads us to make an analogy
with security metrics. It’s also that complex and challenging to measure cyber metrics as it is
hard in case of luck.
When we measure security metrics, we deal with very abstract terms such are asset value,
threat and vulnerability. It’s very hard to define and express through numbers all these
quantities. For instance, asset value is the easiest of these three elements to measure. But,
certain aspects of value, such as a company’s good reputation, are hard, if not impossible, to
quantify. On the other hand, some believe that threat cannot be measured at all, since it is the
potential for harm. Some progress is being made in objectively measuring vulnerability , at least
for specific types networked computer devices. Measurements of other facets of vulnerability,
such as degree of understanding of security issues among computer users, remain somewhat
subjective. All these is pretty difficult because security metric is still a quite young area and
there is still a significant lack in the development of useful security metrics programs and
strategies. There are already some data and practical experience regarding that pioneering
field, but we still miss a good metrics model which would explain us how to deal in order to
better understand a cyber risk.
How to Build your Security Metrics Program?
The simplest answer to this question is to follow the best industrial practice. Let us mention what
all these would include. There is a lot of literature regarding this topic, but we would like to point
to SANS’s Guide to Security Metrics as one of the best industry guidelines in such a field. So,
let’s list the steps as follows:
(1) Define the metrics program goal(s) and objectives,
(2) Decide which metrics to generate,
(3) Develop strategies for generating the metrics,
(4) Establish benchmarks and targets,
(5) Determine how the metrics will be reported.
This five-step methodology should yield a firm understanding of the purpose of the security
metrics program, its specific deliverables, and how, by whom, and when these deliverables will
be provided. In this article, we would not go deeper into analysis of these steps.
Conclusions
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
