By looking for evidence first, the Brits do it right

by Russell on April 9, 2013

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, (…)

Read the rest of this entry »

Indicators of Impact — Ground Truth for Breach Impact Estimation

by Russell on March 18, 2013

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not (…)

Read the rest of this entry »

New paper: “How Bad Is It? — A Branching Activity Model for Breach Impact Estimation”

by Russell on March 17, 2013

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact (…)

Read the rest of this entry »

Securosis goes New School

by Russell on August 10, 2011

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out (…)

Read the rest of this entry »

Fixes to Wysopal’s Application Security Debt Metric

by Russell on March 5, 2011

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections (…)

Read the rest of this entry »

Is Norton Cybercrime Index just ‘Security Metrics Theater’?

by Russell on February 17, 2011

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

Would a CISO benefit from an MBA education?

by Russell on February 9, 2011

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

Another critique of Ponemon’s method for estimating ‘cost of data breach’

by Russell on January 26, 2011

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

Dashboards are Dumb

by Russell on January 12, 2011

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.

Estimating spammer’s technical capabilities and pathways of innovation

by Russell on December 6, 2010

I’d like some feedback on my data analysis, below, from anyone who is an expert on spam or anti-spam technologies. I’ve analyzed data from John Graham-Cumming’s “Spammers’ Compendium” to estimate the technical capabilities of spammers and the evolution path of innovations.