Security Metric of the Week #42: Historic consequences of noncompliance The title or name of this metric is not exactly crystal clear.  We presume it involves totting-up the fines/penalties resulting from noncompliance to (information security relevant) legal, regulatory and contractual obligations. Knowing how much security noncompliance is costing the organization might conceivably help management determine whether sufficient resources  are being applied to compliance activities ... but the metric has a few issues.   It is historical, for starters, and we're not certain that projected trends would be meaningful in this context.  Noncompliance incidents tend to occur sporadically or in clusters (since investigating one incident may dig up others) rather than regularly and predictably.   The T ime taken to identify/calculate and sum compliance costs is another concern Fines and penalties are not the only costs of noncompliance.  Bad publicity resulting fro...

We have just completed and released an awareness module covering the physical side of information security. Physical protection of information assets is every bit as important as the protection afforded to information through logical security and other forms of control.  There are significant physical security threats (such as fires, floods, intruders, saboteurs and thieves), vulnerabilities ( e.g. the sensitivity of electronic devices to power glitches and overheating, and the flammability of paper records) and impacts (severely damaged or destroyed systems and data may be impossible to recover economically, and unauthorized disclosure of information on stolen systems or papers may cause legal, regulatory and commercial repercussions). So what does your organization currently do to raise awareness of physical security?  Maybe you already have a policy in this area but plans to design a poster, develop a course, organize a seminar or whatever don’t count, however well-intenti...

The publisher has released chapter 2 as a sample of the book .   Chapter 2 concerns the reasons or purposes for using security metrics. Over on CISSPforum, we've just been chatting about the validity of security certifications such as SSAE16 (formerly SAS70), PCI-DSS and ISO/IEC 27001 .  These schemes use formal compliance audits to determine whether organizations deserve to be certified.  Formal compliance audits are based around highly specific and explicit requirements, leaving the auditor and auditee little leeway to "interpret" the obligations.  It is implied that such "interpretation" would be a bad thing, although there is a strong argument to the contrary. Unfortunately for this approach, information security refuses to be put into a neatly labelled box.  It simply is not possible to specify security control requirements in sufficient detail for the classic compliance audits, in a generic or universal one-size-fits-all specification.  There are fa...

Security Metric of the Week #41: insurance coverage versus annual premiums An organization's insurance arrangements potentially reveal quite a bit about management's stance on risk.  Residual risks that management feel they cannot mitigate further, cannot avoid and will not accept, are typically transferred to third parties through various business arrangements, including insurance.  The insurance premiums management is willing to pay give an indication of the value they place on those risks, as well as the insurers' assessment of the same risks from their perspectives. Insurance coverage versus annual premiums is someone's attempt to specify an insurance-based metric.  It sounds simple enough in theory: determine the insurance cover provided, divide it by the annual insurance premium, and plot it year-by-year to show ... errrr, what exactly?  At face value, it's just a measure of the value obtained from the insurers (e.g. $10m of cover for a premium of $10k p.a. i...

Security Metric of the Week #40: ROI (Return On Investment) ROI is a commonplace management accounting measure, a means of assessing the net worth (benefits less costs) of an investment, common as muck you might say.  But is is a good security metric?   There are patently situations, in some organizations, in which ROI must be good since it often turns up in business cases, proposals or budget requests to help justify corporate projects or initiatives..  And yet some  prefer other financial metrics such as IRR (Internal Rate of Return) . When Acme Enterprises Inc. puts ROI through the PRAGMATIC sausage-machine, ROI turns out to be a fairly mediocre security metric:  P R A G M A T I C Score 65 72 25 25 88 50 44 60 90 58% ROI is a  C ost-effective metric (takes just an hour or two to calculate) that is presumably  M eaningful to its intended audience i.e. management, but it doesn't score too well on the remaining criteria.   It is not terribly...

A thought-provoking paper by Alexis Guillot and Sue Kennedy  of Edith Cowan University in Perth, Australia, examined typical information security surveys, concluding that, despite questions over their scientific validity, they are a useful source of management information.   From a scientific perspective, the following criticisms are commonly leveled: Survey design/method Sample selection, including demographics and self-selection  Sample size Bias, particularly where sponsors have a vested/commercial interest in the topic These are acknowledged as valid concerns by the paper's authors.  The authors also commented that surveys do not appear to account for the limited knowledge/expertise of the individual respondents, a subtler issue.  The scope of the surveys can be quite broad ( e.g. covering IT security, physical security, risk management, incident management and financial management), yet do respondents (normally IT security professionals, I guess)...

I am absolutely delighted to announce the release of PRAGMATIC  Security Metrics,  a new book published by Auerbach/CRC Press. It was my honor to collaborate on the writing with Krag Brotby, famed author of previous best-sellers on information security governance and  security metrics and, for some years now, editor of the official CISM Review Manual for ISACA.  Many of you will know Krag from his CISM courses. Krag took quite a chance in agreeing to co-author a book with me. Although I am researching and writing security awareness materials all the time, this is first actual book I have written, aside from my PhD thesis (long since forgotten). I do hope I haven't let him down! Writing the book took a lot of hard work between us, most of it online. Google Docs was invaluable in spanning the thousands of miles between Krag's home in California and mine in Hawkes Bay. We constantly fed off each other's creative energy, taking inspiration partly from other authors and...

The long wait is over: PRAGMATIC Security Metrics has been published by Auerbach/CRC Press. With the ink still drying, the wholesalers and distributors are busy stocking up the retailers as we speak.    Those of you who had the foresight to pre-order it can expect your delivery soon.  If you haven't, you can order it online now from  Amazon/Book Depository ,  CRC Press ,   Foyles ,   Booktopia ,   !ndigo ,   Bokus ,  Red Pepper ,   Powell’s ,   QBD   and elsewhere. If you would rather thumb through the book before parting with the readies, ask your local bookstore or library to stock it . Alternatively, persuade management to get the book in for your corporate university, library or bookshelf ... or simply buy it yourself and reclaim the expenses, or put the charge down to experience and self-training! As to the business case for buying the book, can you afford not to improve your security metrics?  If you struggle...

PRAGMATIC Security Metric of the Third Quarter These are the example information security metrics we have discussed and scored over the past three months, ranked in descending order of their PRAGMATIC scores:  Example metric P R A G M A T I C Score Metametrics 96 91 99 92 88 94 89 79 95 91% Access alert message rate 87 88 94 93 93 94 97 89 79 90% Asset management maturity 90 95 70 80 90 85 90 85 90 86% Compliance maturity 90 95 70 80 90 85 90 85 90 86% Physical security maturity 90 95 70 80 90 85 90 85 90 86% Thud factor 82 80 60 60 70 45 85 86 84 72% Business continuity spend 75 92 20 82 95 70 70 70 70 72% Benford's law 84 30 53 95 11 98 62 98 23 62% Controls coverage   87 89 65 40 74 35 46 40 30 56% Homogeneity 67 70 40 59 67 50 ...