How bout this idea In hockey (I love hockey ! )they had a hard time measuring how the individual players skills could be compared as they moved them around from line to line. And also how give merit to the subtleties of all around play such as good defensive skills and hard fore-checking, hustle and good positional play . What was needed was a system to measure players skills besides just goals and assists. So they came up with a system called Plus Minus How's it work? Plus to the player if he is on the ice and his line scores Minus if he's on when his line gives up a goal They then can keep a tally of each game and track the plus minus thru the season, its really effective in seeing who's doing what, when, and where.
How does it relate? Examples: Well if you are on the job and stop an intrusion or virus or discover a new patch came out and get it applied right away before someone tells you its a plus. If you are slacking off and get infected by a virus because you failed to apply a patch its a minus. You could really have some fun with it and yet still get the job done and keep stats as to who has the best plus minus rating etc etc How do you involve management? Examples: Well they get a plus if they go with the plan you showed them and it stops a attack or stops a break in They get a minus if you told them you needed a new gizmo or widget and they said sorry not this month and something bad happens. Can you involve end users? Sure can! Examples: They get a minus if they opened that virus infected email after you told them a thousand times not to open email attachments. They get a plus if they noticed that the email looks suspicious and called you right away! Bottom line is: You have to keep the systems running and as secure as possible no matter what or you are out of a job but if you can get everyone involved in the security game you will definitely be better off. I know this isn't the conventional type of response but I have found that the team approach to matters that are this large in scope can and does become very effective in making your life easier. There are tons of ways you can measure "this and that", or throw another application at the problem to do it programittically but there seems to be enough of them out there already and who needs another application to administer? I sure don't! Matt -----Original Message----- From: Led Slinger [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 12:04 PM To: [EMAIL PROTECTED] Subject: Security Program Targets I wanted to throw this question out to a broad range of security professionals because I have been struggling with this for quite some time. The question is simple, but the answers elude me. How does one measure the success of a security program? I find it relatively simple to identify a risk and mitigate it using technology, but when corporate culture and business 'needs' butt heads with security requirements, I find myself losing more often than not. Simple things such as DMZ environments versus punch throughs to forcing patches on developers. They are quite simple to understand and to implement, and the cost is not a factor, it's plain and simple 'Time is money'. But rarely does the 'Time is Money' come into play when rebuilding a box due to NIMDA or some other tragedy du jour. OK, that's mostly bitchin about life, but where I'm trying to go with this is; If you develop a sound security program, implement it both tactically and strategically, how do you really measure its success? The number of incidents may go down, but even with a solid plan, the sheer number of new exploits and the fast rate of virus propagation may make the incident numbers go up. This really isn't a measure of success or failure in my book. Any suggestions, recommendation or generally information would be tremendously helpful! Cheers, Leds! -- There's nothing wrong with Windows until you install it........
