Archive for the “metrics” category

CRISC – The Bottom Line (oh yeah, Happy New Year!)

by alex on January 2, 2011

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just (…)

Read the rest of this entry »

The Only Trust Models You’ll Ever Need

by alex on December 23, 2010

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having (…)

Read the rest of this entry »

Visualization for Gunnar’s “Heartland Revisited”

by alex on November 16, 2010

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to (…)

Read the rest of this entry »

A Letter from Sid CRISC – ious

by alex on October 25, 2010

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves (…)

Read the rest of this entry »

Fines or Reporting?

by adam on October 1, 2010

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities. I’m concerned that for many of the breaches they report, we have (…)

Read the rest of this entry »

What They Know (From the WSJ)

by alex on August 4, 2010

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.

Measuring The Speed of Light Using Your Microwave

by alex on June 21, 2010

Using a dish full of marshmallows.  We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following: …now you have what you need to measure the speed (…)

Read the rest of this entry »

Getting the time dimension right

by Russell on May 6, 2010

If you are developing or using security metrics, it’s inevitable that you’ll have to deal with the dimension of time. “Data” tells you about the past. “Security” is a judgement about the present. “Risk” is a cost of the future, brought to the present. The way to marry these three is through social learning processes.

On Uncertain Security

by alex on April 3, 2010

One of the reasons I like climate studies is because the world of the climate scientist is not dissimilar to ours.  Their data is frought with uncertainty, it has gaps, and it might be kind of important (regardless of your (…)

Read the rest of this entry »

Data void: False Positives

by Russell on March 10, 2010

A Gartner blog post points out the lack of data reported by vendors or customers regarding the false positive rates for anti-spam solutions. This is part of a general problem in the security industry that is a major obstical to rational analysis of effectiveness, cost-effectiveness, risk, and the rest