« Model? What Do You Mean? | Main | Are Vulnerability Metrics and Risk Metrics Different? »

Risk, Metrics, and Models

It is widely agreed that managing IT security risk requires security metrics. This seems to be where widespread agreement stops, however. We generally agree that the goal of an IT security metric is to figure out that a Bad Thing™ has happened, is happening, or can be expected to happen in the future. However, we are struggling to determine which metrics to use. Moreover, experts believe that this problem is both of great urgency and of research grade.


If we are going to work through this phase of the maturing of IT security we must speak a common language derived from common conceptual frameworks. Take heart! We have examples to follow! The mathematics community has a long tradition of requiring term definition as a prerequisite to effective communication. For example, there are long-standing and agreed upon uses for the term METRIC.


Don't panic. I am not saying that the IT security community needs definitions and formalisms that mirror mathematical rigor.  Moreover, the requirement is not that there be one definition, although having a single definition would simplify our lives. Rather, the minimum requirement for effective communication  is that the definition we use be specified at the start of our conversation (at a minimum at the first use of the term).


And that brings me to the meat of our current conversation: modeling. I am comfortable in asserting that all useful metrics are derived from a specific formalism or model. If we want to agree on common IT security metrics then we need to agree on which formalisms and models are important.


Again, I am not saying that, with respect to models and formalisms, there can be only one. On the contrary, I will argue that there must be more than one. We are already in that position today, and I suggest that we embrace the value in that diversity. :)

Next time I would like to define what I mean by "model" and discuss why models are more valuable when they are predictive, descriptive, consistent, simple, structurally stable, and even when they are normative.


PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.
Member Account Required
You must have a member account on this website in order to post comments. Log in to your account to enable posting.