Security Metric of the Week #81: number of different information security controls We're not entirely sure why anyone would feel the need to count their security controls, unless perhaps they think there might either be too many or too few, begging the question "How many controls  should we have?". Nevertheless, somebody proposed this as an information security metric and  ACME's managers explored, discussed and scored it through  the  PRAGMATIC  process : P R A G M A T I C Score 71 75 72 75 88 30 50 65 43 63% They felt that counting security controls would be tedious, error-prone and laborious hence the metric's depressed ratings for T imeliness, A ccuracy and C ost-effectiveness. The 88% rating for M eaningfulness suggests that they believed this metric would provide useful information, provided the following issues were addressed. The word "different" in the full title of the metric could be misle...

Inspired by a rant against information overload , I looked up Sturgeon's Law  which might be paraphrased as "90% of everything is crap".  That in turn got me thinking about the Pareto principle (a.k.a. the 80/20 rule: 80% of the effects relate to 20% of the causes). The numbers in both statements are arbitrary and indicative, not literal. The 80% or 90% values are meant to convey "a large proportion" and bear no special significance beyond that. Adding the phrase "of the order of" would not materially affect either statement.   I'm also reminded that (according to Stephen Wright) "42.7% of statistics are made up on the spot", while Benjamin Disraeli's  " lies, damned lies, and statistics " reminds us that numbers can be used to mislead as much as to inform. So how does this relate to  PRAGMATIC   security metrics ? It is especially pertinent to the A ccuracy and  M eaningfulness criteria. Most metrics can be made more  A cc...

Whereas current and previous versions of PCI DSS, the standard for securing credit card data, have mentioned the need for security awareness, the forthcoming PCI 3.0 release will be more forthright on the need for security education and awareness. According to the  official change notice , “Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers.” The underlying issue is that, without adequate awareness, other information security controls are more or less pointless. I suspect PCI 3.0 will focus on ensuring that PCI security requirements are v...

With a spot of brainstorming and Googling around , it's not hard at all to come up with hundreds of candidate security metrics, often in fact entire families of potential metrics based on any starting point such as the 150 metrics in our book  (we'll show you how that works with our next 'example metric of the week', here on the blog). There are loads of information-security-related things that could be measured, and loads of ways to measure them. This is a point we discussed in chapter 3, describing many potential sources of metrics inspiration.  If you don't perceive a vast ocean of possible security metrics before you, you're either lacking in experience or you need to look harder! Having come up with a big bunch of possible security metrics, the PRAGMATIC method is a great way to filter out the few that are actually worth putting into production. Metrics with relatively low PRAGMATIC scores naturally gravitate to the bottom of your list while the high-ach...

Security Metric of the Week #80: Quality of system security revealed by testing Our 80 th Security Metric of the Week concerns [IT] system security  testing , implying that system security is in some way measured by the testing process.   The final test pass/fail could be used as a crude binary metric. It may have some value as a measure across the entire portfolio of systems tested by a large organization in a period of a few months, but despite being so simple, underneath lurks a raft of potential issues. If, for instance, management starts pressuring the business units or departments whose software most often fails security testing to 'pull their socks up', an obvious but counterproductive response would be to lower the security criteria or reduce the amount or depth of security testing.   The number of security issues identified by testing would also be a simple metric to gather but again not easy to interpret. If the metric is tracking upwards (as seen on ...

Excellent security awareness programs satisfy the following seven design goals: 1) Inclusivity Information security is and should be perceived as everyone’s responsibility, hence the awareness program should reach everyone in the organization i.e.  employees (staff and managers) in every location, business unit, function or department, plus contractors, consultants, temps and other third party employees working for the organization. Ideally, the awareness activities should start with a  new employee induction or orientation module covering the basics of information security for newcomers.  Most of all, the awareness program should be visibly supported and endorsed by management - which in turn implies that managers themselves need to be security-aware, and to understand the business value of security awareness. Involving managers in the formulation of security policies, rather than just presenting them as a fait accomplis, is one way to ensure that they have their ...

Security Metric of the Week #79: Employee turn versus account churn This week's metric is typical of the kind of thing that often crops up in security metrics workshops and meetings. Whenever someone invents or discovers a metric like this, they are often enthusiastic about it, and that enthusiasm can be infectious.  The alliteration in 'employee turn versus account churn' is eye-catching: for some reason buried deep in the human psyche, we find the phrase itself strangely attractive, hence the metric is curiously intriguing.  We've fallen into a classic trap: the metric sounds ' clever' whereas, in reality, this is a triumph of form over substance. It is far from clear from the cute phrase what the metric is actually measuring, how, why, and for whom. What are 'employee turn' and 'account churn', exactly, and why would we want to compare them? What would that tell us about information security anyway? In practice, someone at the workshop would p...

I have rewritten my listing of the ISO27k standards .   It's now in a tabular format and as up to date as I can make it.  Although the descriptions are brief, there are hyperlinks to the relevant information pages on each of the standards at ISO27001security.com .   In addition to the 21 already available, several more ISO27k standards are at DIS or FDIS stage.  Some may well be published before the end of the year. I am waiting patiently for the ANSI INCITS versions of ISO/IEC 27001:2013 and ISO/IEC 27002:2013.  I can't find them on the ANSI site as yet, but it has always been a bit of a mission to search the ANSI site. The 2005 versions were just US$30 for single-user PDFs direct from ANSI. IT Governance Ltd. in the UK is selling the 2013 versions but at 60 quid a go, but I'll bide my time. Meanwhile, I'm making do with late drafts, and hoping not much changed when they were published.

The fifth annual social engineering capture-the-flag competition at DEFCON once again graphically illustrated the social engineering risk. Take 5 minutes to  download and read this year's repor t : the results, particularly the implications for information security, are truly shocking. In short, the contestants were invited to socially-engineer a number of items of information from ten victim companies - all high-profile US brands (Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney). Contestants had some time ahead of the event to research their targets using published information and to prepare their pretexts. During the competition period, live on stage at DEFCON, they attempted - and generally succeeded - in tricking and persuading employees of the victim companies to part with the "flags", pieces of information that should not have been disclosed.  Listed on page 8 of the report, most of...

The league table for another 3-month's information security metrics shows a very close race for the top slot: Metric P R A G M A T I C Score Power consumed by the computer suite versus air conditioning capacity 81 69 89 92 80 99 98 90 98 88% Security governance maturity 95 97 70 78 91 89 90 85 90 87% Business continuity plan maintenance status 75 75 90 73 84 76 80 77 93 80% Number or proportion of security policies addressing viable risks 65 76 91 73 83 77 70 61 78 75% Quality of security policies 80 85 40 66 72 75 80 80 80 73% Number of controls meeting defined control criteria or objectives 88 86 88 65 78 60 26 90 70 72% Corporation's economic situation 72 80 10 80 80 80 61 80 79 69% % of highly privileged or trusted users or functions 86 80 51 40 65 39 55 95 60 63% ...