Archive for the “metrics” category

Active Defense: Show me the Money!

by adam on June 21, 2012

Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t (…)

Read the rest of this entry »

Oracle’s 78 Patches This Quarter, Whatever…

by David Mortman on January 19, 2012

There’s been a lot of noise of late because Oracle just released their latest round of patches and there are a total of 78 of them. There’s no doubt that that is a lot of patches. But in and of (…)

Read the rest of this entry »

Lean Startups & the New School

by adam on September 20, 2011

On Friday, I watched Eric Ries talk about his new Lean Startup book, and wanted to talk about how it might relate to security. Ries concieves as startups as businesses operating under conditions of high uncertainty, which includes things you (…)

Read the rest of this entry »

Securosis goes New School

by Russell on August 10, 2011

The fine folks at Securosis are starting a blog series on “Fact-based Network Security: Metrics and the Pursuit of Prioritization“, starting in a couple of weeks.  Sounds pretty New School to me!  I suggest that you all check it out (…)

Read the rest of this entry »

Sex, Lies & Cybercrime Surveys: Getting to Action

by adam on June 23, 2011

My colleagues Dinei Florencio and Cormac Herley have a new paper out, “Sex, Lies and Cyber-crime Surveys.” Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed (…)

Read the rest of this entry »

Fixes to Wysopal’s Application Security Debt Metric

by Russell on March 5, 2011

In two recent blog posts (here and here), Chris Wysopal (CTO of Veracode) proposed a metric called “Application Security Debt”.  I like the general idea, but I have found some problems in his method.  In this post, I suggest corrections (…)

Read the rest of this entry »

Just Because YOU Think Your Clients Are Too Busy and/or Stupid Doesn’t Mean Everyone Else Is

by alex on March 1, 2011

Mike Rothman’s “Firestarter” on “Risk Metrics are Crap“. It’s very difficult to argue with a poorly constructed argument.  Especially when I have no idea what a “risk metric” is.  But best as I can tell, Mike’s position is that unless (…)

Read the rest of this entry »

Is Norton Cybercrime Index just ‘Security Metrics Theater’?

by Russell on February 17, 2011

Symantec’s new Norton Cybercrime Index looks like it is mostly a marketing tool. They present it as though there is solid science, data, and methods behind it, but an initial analysis shows that this is probably not the case. The only way to have confidence in this is if Symantec opens up about their algorthms and data.

Gunnar on Heartland

by alex on January 22, 2011

Analysis of Heartland’s business as a going concern by @oneraindrop. Especially interesting after comments on the CMO video.

Dashboards are Dumb

by Russell on January 12, 2011

The visual metaphor of a dashboard is a dumb idea for management-oriented information security metrics. It doesn’t fit the use cases and therefore doesn’t support effective user action based on the information. Dashboards work when the user has proportional controllers or switches that correspond to each of the ‘meters’ and the user can observe the effect of using those controllers and switches in real time by observing the ‘meters’. Dashboards don’t work when there is a loose or ambiguous connection between the information conveyed in the ‘meters’ and the actions that users might take. Other visual metaphors should work better.