Why security metrics aren't helping prevent data loss
[quote]Security metrics are supposedly a way for upper management and IT departments to converse intelligently about in-house security programs. Why aren't the metrics working?
Reported data loss due to security breaches is not slowing down in the least bit, as the graph below (courtesy of DataLossDB.org) vividly points out. What’s more, these statistics only include publicly reported breaches. One can only imagine how many security breaches are unreported by organizations wanting to avoid public scrutiny....
...Security metrics are often misunderstood, being referred to as a measuring process, and that is not the case. Shirley C. Payne in her SANS Institute paper, A Guide to Security Metrics, explains the difference:
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are derived by comparing, to a predetermined baseline, two or more measurements taken over time. Measurements are generated by counting; metrics are generated from analysis. In other words, measurements are objective raw data, and metrics are either objective or subjective human interpretations of those data.
Next, Shirley describes what would be considered a “useful
Why security metrics aren't helping prevent data loss
Why security metrics aren't helping prevent data loss
Hmmm....
A useful metric depends on accurate measurement. A metric may not be very meaningful if a significant number of security breeches are not being reported by many companies.
A useful metric really depends on useful measurement. While it is useful to determine the number of security breeches a company suffers within a given period, it is more useful to measure the different kinds of security breeches (classification).
Beyond that, metrics cannot by itself be very effective in helping to prevent data loss because the matter of security is an on-going challenge. Metrics provide a better look at the past than a glimpse at the future, because security issues are ever evolving... So it is difficult to make accurate predictions, and take all necessary pro-active steps in order to stop data loss down the road.
All in all, the crux is that one is dealing with an open ended kind of problem here, and so measurement and metrics can only ever be a part of the solution toward preventing data loss. That said, the manner in which we use measurement and metrics can be improved without a doubt.
Just some more food for thought,
Monsie
A useful metric depends on accurate measurement. A metric may not be very meaningful if a significant number of security breeches are not being reported by many companies.
A useful metric really depends on useful measurement. While it is useful to determine the number of security breeches a company suffers within a given period, it is more useful to measure the different kinds of security breeches (classification).
Beyond that, metrics cannot by itself be very effective in helping to prevent data loss because the matter of security is an on-going challenge. Metrics provide a better look at the past than a glimpse at the future, because security issues are ever evolving... So it is difficult to make accurate predictions, and take all necessary pro-active steps in order to stop data loss down the road.
All in all, the crux is that one is dealing with an open ended kind of problem here, and so measurement and metrics can only ever be a part of the solution toward preventing data loss. That said, the manner in which we use measurement and metrics can be improved without a doubt.
Just some more food for thought,
Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.