Term
| Practical/useful security metrics have the following basic characteristics: |
|
Definition
• easy to connect to concept of security
• transparent data gathering process
• supports security decision-making |
|
|
Term
|
Definition
The process of mapping from the
empirical world to the formal, relational world.
The measure that results characterizes an
attribute of some object under scrutiny.
Note: Information Security is not the object, nor a
well-understood attribute, which means you are not directly measuring security; you are measuring other things and drawing conclusions about security from them. |
|
|
Term
|
Definition
| Attributes that can be measured before the outcome is clear. |
|
|
Term
|
Definition
| Attributes that can only be measured after the fact. |
|
|
Term
| Key Goal Indicators (KGI) |
|
Definition
| Attributes whose measures indicate whether a goal(s) has been met. Since they can only be measured after the fact, they are lag indicators. |
|
|
Term
| Key Performance Indicators (KPI) or just Performance indicators |
|
Definition
| Attributes whose measures indicate whether goals are likely to be met. Since they can be measured before the outcome is clear, they are lead indicators. |
|
|
Term
| International Standard for Designing/Manageing Security Metrics (Process) |
|
Definition
1. Plan
2. Do
3. Check
4. Act |
|
|
Term
|
Definition
1. Nominal (exists, doesn't exist)
2. Ordinal (order: high, medium, low)
3. Interval (order and quantity)
4. Ratio |
|
|
Term
| Criteria for Security Metrics (nine things) |
|
Definition
Valid: data supports a hypothesis that system is secure
Accurate: data reflects the content of measurement as it was envisioned
Numeric: data can be precisely quantified
Correct: data is collected according to specifications
Consistent: measure is independent of measurer
Time-based: there is a fixed reference point of data collection
Replicable: measurement repeated in same manner in same environment will yield same result
Unit-based: data may be expressed in terms of a unit
Informative: data provides information without additional context |
|
|
Term
| Rules for Evaluation of Metrics |
|
Definition
• Any metric that is not accurate or not valid is weak
• Any metric that is accurate and valid is at least
neutral
• Any metric that is accurate, valid, informative, and
time-based is strong |
|
|
Term
| What are the four types of metrics? |
|
Definition
1. Activity
2. Target
3. Remediation
4. Monitor |
|
|
Term
| Activity Metric (definition) |
|
Definition
| Metrics that measure work activity, e.g., incidents reported via email. |
|
|
Term
| Target Metrics (definition) |
|
Definition
| Metrics that have a measurable target (e.g., no missing logs). |
|
|
Term
| Remediation Metrics (definition) |
|
Definition
Metrics that show progress toward a goal, e.g., % of systems that have been converted to a new operating system.
|
|
|
Term
|
Definition
| Metrics that monitor processes, e.g., the number of changes vs the number of chages authorized, or the percent of password reset call where the staff followed (and/or documented) process. |
|
|
Term
| Link Indexes to Security Data |
|
Definition
Common Indexes cannot be expected to exist in different realms and different management domains.
Expectations for linkage must be articulated. |
|
|
Term
| Creating/Using Metrics (end to end process) |
|
Definition
• Start with known data on environment
• Quantify or otherwise represent unknowns
• Link control-relevant data to known data
• Anticipate decision requirements
• Design presentations for use in decisions |
|
|
Term
|
Definition
Vulnerabilities != Exploits
Threats != Exploits
Vulnerabilities + Threats != Exploits
Vulnerabilities + Threats allow Exploits
Exploits != Damage
Exploits + Service/Data/Financial Loss = Damage
Controls minimize probability of Exploits |
|
|
Term
|
Definition
| A weakness which allows an attacker to reduce a system's information assurance. It is the result of a system bug or flaw and must be accessable by an attacker. |
|
|
Term
|
Definition
| A possible danger that might exploit a vulnerability to breach security and thus cause possible harm. |
|
|
Term
|
Definition
| A piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack. |
|
|
Term
| Traditional Risk Assessment Approach |
|
Definition
• Identify Assets within Scope
• Determine Threats, Risks, Concerns, and
Issues Related to Assets
• Prioritize the Risk According to System and
Information Importance
• Determine the Threat Level of the Assets
• Determine Known Vulnerabilities of the
Assets |
|
|
Term
|
Definition
| The science of risks and their probability and evaluation. |
|
|
Term
| Risk Management focuses on the following four areas |
|
Definition
1. Compliance, e.g., total population vs population in compliance.
2. Organizational Structure, e.g., show compliance accross different organizational populations
3. Automation, e.g., automated collection of data
4. Trends (often used to depict data beyond the control of management) |
|
|
Term
| Redmediation Management focuses on the following: |
|
Definition
1. Quality: Actual number of known vulnerabilities (as opposed to the number of systems scanned for vulnerabilities)
2. Process: control points from process directly correlated to measured activity.
3. Accountability: What was the root cause?
4. Implementation: Recognizes systemic issues and acts. |
|
|
