CIO Asia has a column on "A Few Good Metrics"
http://cio-asia.com/ShowPage.aspx?
pagetype=2&articleid=2560&pubid=5&issueid=63
The article talks about using metrics to quantify risks and control
effectiveness.
"There's no denying that proven economic principles can—and should—be
applied to information security investments. At the same time, a
bumper crop of valuable metrics exist that don't require classes on
Nobel Prize-winning theories or a working knowledge of the Greek
alphabet. You've actually already sowed the seeds of these less dense
but equally valuable metrics. They're sitting in your log files, on
your network, in the brains of your business unit managers, just
waiting to be harvested. You won't need computational prowess to
exploit this crop's value, just some legwork and—this is key—the most
effective presentation tools"
...
"Jaquith has sharp, sometimes contrarian opinions on what makes a
good metric and what makes for good presentation of metrics. For
example, he thinks annual loss expectancy (ALE), a tool used to
measure potential losses against probability of losses occurring over
time, is useless, because in infosecurity, the L and the E in ALE are
wild guesses. Quoting Geer, he says, "The numbers are too poor even
to lie with."
-gp
On Sep 18, 2005, at 10:17 AM, Kenneth R. van Wyk wrote:
FYI, there's a column in CIO Update by Ed Adams exploring some of
the reasons
why secure software is so hard to find. Unlikely to be anything
new to SC-L
readers, but it could be worth a quick read in any case. In
particular, his
recommendations (to his presumably mostly CIO audience) are quite
different
than what you might expect to find, say, here on SC-L. In any
case, you can
find the article at: http://www.cioupdate.com/trends/article.php/
3548306
(Full disclosure: CIO Update is run by Jupiter Media, who also owns
the site
(eSecurityPlanet.com) where I'm a monthly columnist.)
Cheers,
Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com