Security Metric of the Week #78: proportion of information security policies addressing genuine risks Writing policies is easy: writing policies that are relevant is harder than it sounds, and writing policies that are readable, fully implemented and straightforward to assess for compliance is harder still.  This week's example metric is intended to highlight policies that are irrelevant or pointless, for example those that concern situations or risks that are remote ( extremely unlikely) in practice.  If there is no conceivable combination of threat, vulnerability and business impact, there is little chance of an information security incident, hence a policy (or in fact any other form of control) is probably unnecessary.   ACME rated the metric at 75% on the PRAGMATIC scale: P R A G M A T I C Score 65 76 91 73 83 77 70 61 78 75% There was some interest in us...

'Scraping through by the skin of our teeth' may not sound like an inspired business strategy, but in the case of serious incidents and disasters, it may be all that can realistically be hoped for - and it sure beats the alternative. The key point, of course, is to get through. The poster image is meant to be strangely disturbing.  Facing up to the stark realities of impending business collapse is tough, but someone has to do it. November's awareness module covers "survivability", the capability and the determination to survive things that are so drastic that they threaten the organization's viability.  It picks up where previous modules have left off, extending awareness topics such as risk management and business continuity. Discussing such extremes in the awareness program means treading a fine line between failing to motivate people to pay sufficient attention to the topic, and over-stating the risks to the point that the program loses credibility and peopl...

Security Metric of the Week #77: Computer suite power consumption versus its air conditioning capacity Monitoring the total electrical power consumed by the computer suite (building, room, cupboard, whatever) is a basic control measure that is useful for managing the power supply, for example ensuring that it remains within the safety limits and engineering constraints of the cabling and switch-gear. If (when!  Hopefully before!) the power consumption approaches some limit, decisions have to be made about leveling off the trend ( e.g . by replacing older IT equipment with more energy-efficient green stuff) and upgrading the supply, preferably through a coherent, planned, professional program of engineering work. Computer suite power consumption is itself a highly PRAGMATIC metric .  In addition to energy from the environment and sunshine, a significant proportion of the electrical energy pumped in to the computer suite through the power system turns into heat that also ha...

Security Metric of the Week #76: quality of information security policies Poor-quality, badly-written policies: Are less likely to be understood by the people they are meant to guide/direct/control; May neglect, under-play or mis-state certain obligations or requirements; Are probably not being actively maintained and so are probably outdated; May conflict with other policies, plus strategies, standards, procedures, guidelines, laws, regulations etc .; May create legal liabilities or open up opportunities for people or organizations to claim they don't apply, are unworkable, are unreadable etc .; May create excessive, unnecessary or inappropriate requirements and costs (red-tape); Give the appearance of expressing management's intent but in fact probably do not (fully) address the information security issues/risks they are supposed or intended to address; Don't work - compliance is likely to be low, they are more likely to be flaunted or openly ignored; Reflect badly on the...

A fascinating thread is being woven over on the ISO27k Forum , concerning information security risk analysis (RA) methods. Bob Ralph made a good point that set me thinking this morning:  "... 'unknown knowns' should be scored the very highest until you know otherwise ... Of course the 'unknown unknowns' will not even be on the RA. But they are still about somewhere." Biologists have developed techniques for estimating the unknown and answering awkward questions such as "How many Giant Green Land Snails are there on this island?" The obvious technique is to try to catch and count them all, but that's (a) costly, (b) disruptive for the snails and their ecosystem, and (c) not as accurate as you might think (snails are well camouflaged and duck for cover when biologists approach!). Capture-mark-recapture , also known as tag-and-release, is a more useful technique: catch all the snails you can find in a given area, mark or uniquely identify them in so...

On the Security Leadership Solutions Executive Council Faculty Advisor blog , Kathleen Kotwica raised a good point about ineffective security metrics: "T he issue many security practitioners incur is a) not measuring at all or b) measuring things by simply counting them (e.g., workplace violence incidents or lost laptops), rather than demonstrating the value Security brings to the business. By way of example, convey savings to the company by your program's reduction of workplace violence issues. That is, the cost of managing an event and lost employee time; or cost savings by reducing any potential acts because of your background due diligence program." Although the blog concerns physical security metrics, Kathleen's point applies equally to the broader class of information security metrics.  And the issue is not simply about counting things, but about presenting simple counts, or indeed other statistics, without giving them relevance and meaning to the business. Supp...

Security Metric of the Week #75:  number of controls failing to meet defined control criteria/objectives The premise for this metric is that information security controls are, or rather should be, designed to achieve something fairly specific i.e. the control objective. Provided they are well worded, it ought to be possible to assess the extent to which control objectives are satisfied in order to determine whether the corresponding controls are adequate. The PRAGMATIC ratings for this metric, according to ACME's managers, are: P R A G M A T I C Score 88 86 88 65 78 60 26 90 70 72% The metric's T imeliness   rating depends on the testing-and-reporting   period. The gaudy traffic-light colored example graph above shows a monthly reporting period which would be good for timeliness, but assessing and reassessing this metric every month would be beyond the limited capabili...