Tweets
« Malware Slaying | Main | Redux: FIPS 140 dash What? »

CIS Consensus Information Security Metrics - Converting Uncertainty into Risk

Full disclosure

In my day job I am Solutions Architect for the McAfee Risk and Compliance Business Unit. Our products cover compliance management, risk management, IT security risk analysis, and a range of application and change control technologies.

[3/2/2010 note: when I wrote this article I worked for McAfee. I do, however, no longer. :)]

In a former life I evaluated complex, multidimensional data sets using models and metrics - I was a scientist performing quantitative analysis of noisy data. The result is that I've spent many years and a lot of energy thinking about and using models, metrics, and measurement. That background gives me certain views, opinions, and expectations.

Now that you know where I'm coming from let's talk about risk, measurements, metrics, and uncertainty. ;)

What We Need

IT security is a relatively young field. Our ability to create and leverage models that consume data (measurements, metrics) and predict when a Bad Thing™ might happen is not where we really want it to be.

I have written on this topic before. In that article I propose that our best path to mitigating IT security risk is to be able to estimate with some confidence that a Bad Thing™

  1. has occurred in the past
  2. is happening right now
  3. may or will happen in the future

Measurement - collection of events from our environment - can help us with the first task. If we are nimble and quick on our feet then measurements and metrics can even help us with the second task by triggering alarms in an efficient manner.

Sadly, data alone cannot help us with the third. Before we can get there we need enough of the right kinds of data so that we can analyze, correlate, and model.

Something We Do Have

The Center for Internet Security have organized a boat load of knowledgeable people to agree on and promote a collection of measurements and metrics that we can use. They call them the CIS Consensus Information Security Metrics.

There are twenty measurements and metrics listed in the white paper grouped into six different categories - I have include the list below but I encourage you to download the white paper and read through the details. If you do you'll find that they are all things you should be tracking in your security environment today and that they are all "good common sense".

Several of the metrics in the collection are for coverage of key metrics across your organization - that is, they are measures of possible holes in your risk management program.  As I've argued before, RISK is better than UNCERTAINTY and uncertainty arises from a lack of data. If you improve your security posture by closing holes revealed by these metrics then you will find yourself moving your organization from the realm of managing UNCERTAINTY and into the realm of managing RISK.

Now, if I could get my hands on a large, anonymized data set that includes these metrics I think we can make some progress toward predictive metrics and models.

-Eric

p.s. Here is that list of categories and metrics. Enjoy!

Incident Management

  • Mean time to incident discovery
  • Incident rate
  • Mean time between incidents
  • Mean time to incident recovery

Vulnerability Management

  • Vulnerability scan coverage
  • Percent of systems without known severe vulnerabilities
  • Meant time to mitigate vulnerabilities
  • Number of known vulnerable instances

Patch Management

  • Patch policy compliance
  • Patch management coverage
  • Mean time to patch

Configuration Change Management

  • Mean time to complete changes
  • Percent of changes with security review
  • Percent of changes with security exceptions

Application Security

  • Number of applications
  • Percentage of critical applications
  • Risk assessment coverage
  • Security testing coverage

Financial

  • Information security budget as a percentage of IT budget
  • Information security budget allocation

 

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (6)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
  • Response
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
  • Response
    Response: Free Anti-spyware
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
  • Response
    Response: Anti Spyware
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
  • Response
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk
  • Response
    Got reading material? - Noisy Brain Home - CIS Consensus Information Security Metrics - Converting Uncertainty into Risk

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.
Member Account Required
You must have a member account on this website in order to post comments. Log in to your account to enable posting.