Entries in vulnerability (3)

CIS Consensus Information Security Metrics - Converting Uncertainty into Risk

Full Disclosure

In my day job I am Solutions Architect for the McAfee Risk and Compliance Business Unit. Our products cover compliance management, risk management, IT security risk analysis, and a range of application and change control technologies.

[3/2/2010 note: when I wrote this article I worked for McAfee. I do, however, no longer. :)]

In a former life I evaluated complex, multidimensional data sets using models and metrics - I was a scientist performing quantitative analysis of noisy data. The result is that I've spent many years and a lot of energy thinking about and using models, metrics, and measurement. That background gives me certain views, opinions, and expectations.

Now that you know where I'm coming from let's talk about risk, measurements, metrics, and uncertainty. ;)

Click to read more ...

Are Vulnerability Metrics and Risk Metrics Different?

The Common Vulnerability Scoring System (CVSS) was constructed as a Vulnerability Metric. However, there is no structural difference between CVSS and a generalized Risk Metric model. The types of information that go into both are the same and the behavior of CVSS is consistent with the model.

Click to read more ...

Risk? What Do You Mean?

The products that my employer develops are all about buzzwords like Vulnerability, Compliance, and Risk. You will find these words and phrases all over the computer security field along with others, like Buffer Overflow, Malware, PUPS (potentially unwanted programs, meaning, stuff you probably don't want but if someone called it Malware someone could get sued), Data Loss Prevention, Host Intrusion Prevention System, SPAM, and Antivirus. Most folks are only really aware of one, Antivirus, and may think it means all of the above. :)

Click to read more ...