We're only human.  None of us is perfect – we all make misteaks (some more than most!).   Most of the time we get away with them, but the odd moment’s inattention sometimes leads to a little accident and, in rare cases, causes something far more serious. Researching the topic and writing July's security awareness module was quite entertaining at times.  Even the very words we use tend to raise a smile - blooper, boo-boo, boob, gaffe, gotcha, blunder and so on.  For those not directly impacted, human errors such as actual slip-ups can be hilarious.  There are popular TV programs and YouTube channels devoted to this stuff.   On the other hand, the 2 micron error that nearly wrecked NASA’s Hubble Space Telescope was outrageously expensive and not funny at all, while the ‘Weapons of Mass Destruction’ intelligence error that led to the Iraq war is deadly serious, not in the least bit amusing.  With such a huge variety of bloopers to draw upon, we were truly...

HAVING JUST RECEIVED THIS EMAIL MISSIVE FROM THE IMF WORLD REGULATORY OFFICE, ALL IN CAPS, I CAN ONLY ASSUME THAT THE IMF IS ABOUT TO IMPOSE A TAX ON LOWER CASE LETTERS:   IMF WORLD REGULATORY OFFICE INTERNATIONAL FUNDS REGULATORY AUTHORITY INTER-CONTINENTAL DEBT RECONCILIATION DEPT. FROM THE DESK OF: HONORABLE MRS. SARAH JONES DIRECTOR; IMF WORLD REGULATORY OFFICE. ATTENTION:PROVISION OF AFFIDAVIT OF CLAIM CERTIFICATE FOR LEGAL COVER/ PROTECTION OF 15.5 MILLION GREAT BRITAIN POUNDS IN FAVOR OF YOU TODAY IS ALREADY JUNE 2013 AND WE WANT TO BRING TO YOUR KIND AND HUMBLE NOTICE THAT A NEW BOARD OF DIRECTOR'S HAVE NOW TAKEN OVER THE AFFAIRS OF THIS OFFICE AND DURING OUR AUDITING WE FOUND OUT THAT YOUR FUND WORTH 15.5 MILLION GREAT BRITAIN POUNDS IS YET TO BE PAID TO YOU, THIS WAS A SHOCKING NEWS AND REVELATION TO THE NEW BOARD OF DIRECTOR'S. ON OUR KNOWLEDGE OF THIS REVELATION A LENGTHY MEETING WAS HELD IMMEDIATELY BY THE NEW BOARD OF DIRECTORS ON YOUR BEHALF AND IT WAS DECIDED IN...

Security Metric of the Week #63: information security budget variance This is, self-evidently, a financial  information security metric but what exactly is "Information security budget variance"?  Now there's the rub. You might interpret it as a measure of the discrepancy between budgeted, permitted, authorized or allocated funds for information security and actual expenditure.   The illustrative graph above is a view of Acme Enterprise's information security budget variance on this basis over the course of a year, showing actual relative to predicted security expenditure (the zero dollar horizontal axis representing the budgeted spend).  Things are looking pretty grim for the first quarter but gradually improve as (presumably) firm action is taken to correct the overspend.  It looks as if there might even be a small surplus at the end of the year, perhaps enough to afford some discretionary expenditure such as a boost to the security awareness and training budg...

When we first met and started discussing information security metrics, Krag and I soon realized we shared the view that there are loads of possible metrics out there.  Anyone out shopping for security metrics is spoiled for choice, facing a bewildering array of things they could measure.  Far from being short of possible metrics, we face the opposite problem, choosing which of the plethora of metrics on offer to go with .   Most security metrics people propose or recommend specific metrics.  The better ones at least make the effort to explain what the metrics are about, and a few take the trouble to justify their choices.   Here's a single example, a list of over 40 metrics recommended by Ben Sapiro on the LiquidMatrix blog : Time to patch; time to detect; time to respond; system currency; time to currency; population size; vulnerability resilience/vulnerable population; average vulnerabilities per host; vulnerability growth rate versus review rate; infection sp...

Today on  CISSPforum  we've been chatting about  Death by PowerPoint,  the feeling that badly constructed and delivered presentations are not just tedious but counterproductive. Notable examples include  eye-candy ,  wordy slides ,  cool but distracting infographics  and " When we understand that slide, we'll have won the war ". This stuff is particularly important in topics as complex and arcane as information security.  I’m not sure why PowerPoint is always in the dock, other than the routine M$bashing. It’s just a tool, one of many. It seems to me the problem lies not so much with the tools as with the craftsmen and women who wield them so ineptly and inappropriately. You will rarely see the most accomplished, professional presenters using PowerPoint, or in fact any slides or handouts. They are positively  overflowing  with personality and expressiveness. They have presence and an infectious passion. They are naturals, true artis...

A  website security survey by White Hat Security  makes the point that 'a comprehensive metrics program' is valuable:   "The tactical key to improving a web security program is having a comprehensive metrics  program in place – a system capable of performing ongoing measurement of the security posture  of production systems, exactly where the proverbial rubber meets the road.  Doing so provides direct visibility into which areas of the SDLC program are doing well and which ones need improvement. Failure to measure and understand where an SDLC program is deficient before taking action is a guaranteed way to waste time and money - both of which are always extremely limited." Naturally, we agree with them that a 'comprehensive metrics system' (whatever that might be) is A Good Thing ... but it's not entirely clear to me how they reached that particular conclusion from the survey data. Worse still, the survey design begs serious questions, like for example whe...

Security Metric of the Week #62: security policy management maturity As  with the other ‘maturity metric’ examples given in the book ( e.g . those for asset management , physical security ,  HR , business continuity  and compliance ) we envisage this metric as a scoring scale using predefined criteria against which the organization's security policy management practices are assessed and rated.   Here's the first of four rows from the example policy maturity metric in Appendix H: 0%: no information security policy management 33%: basic information security policy management 67%: reasonable information security policy management 100%: excellent information security policy management There is nothing even remotely resembling a security policy as such There is a security policy of sorts, although probably of poor quality ( e.g . badly worded or inconsistent), incomplete and/or out-of-date with some elements undocumented The information ...

So far in this series of bloggings, I have critiqued the top five metrics identified in the  Hannover Research/Tripwire  CISO Pulse/Insight Survey .  I'll end this series now with a quick look at the remaining six metrics and an overall conclusion. Metric 6: "Legitimate e-mail traffic analysis "  While the analysis might conceivably be interesting, isn't the metric the output or result of that analysis rather than the analysis itself?  I'm also puzzled at the reference to 'legitimate' in the metric, since a lot hinges on the interpretation of the word.  Is spam legitimate?  Are personal emails on the corporate email system legitimate?  Where do you draw the line?  Working on the assumption that this metric, like the rest, is within the context of a vulnerability scanner system, perhaps the metric involves automatically characterizing and categorizing email traffic, then generating statistics.  Without more information, the metric ...

Security Metric of the Week #61: proportion of information security policy statements unambiguously linked to control objectives Measuring is one way to reinforce the linkage between policy statements and higher level control objectives or axioms.  Policies that bear no relation to control objectives/axioms beg the question: what are they meant to achieve? How will the organization determine whether they are effective if the intended outcome is uncertain?  What is the justification for compliance with the policy, and what are the implications of low compliance?   Conversely, a strong security policy with a specific, legitimate purpose that cannot be linked to a control objective or axiom implies the need to fill a gap in the high-level control framework. PRAGMATIC ratings: P R A G M A T I C Score 92 91 64 60 85 65 45 75 75 72% "Unambiguously linked" leaves some wiggle...

Many aspects of information security that would be good to measure are quite complex.  There are often numerous factors involved, and various facets of concern.  Take ‘security culture’ for example: it is fairly straightforward to measure employees’ knowledge of and attitudes towards information security using a survey approach, and that is a useful metric in its own right.  It becomes more valuable if we broaden the scope to compare and contrast different parts of the organization, using the same survey approach and the same survey data but analyzing the numbers in more depth.  We might discover, for instance, that one business unit or department has a very strong security culture, whereas another is relatively weak.  Perhaps we can learn something useful from the former and apply it to the latter.  This is what we mean by ‘rich’ metrics.  Basically, it involves teasing out the relevant factors and getting as much useful information as we can from ind...