




The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.
We need to agree on what we mean when we use the word MODEL. Why? Because if we don't start at the base of our pyramid of understanding then we can each be going down different paths without ever knowing it. When we create IT Security risk metrics we need to be conscious of the models underpinning those metrics so that we can interpret them wisely.
It is widely agreed that managing IT security risk requires security metrics. This seems to be where widespread agreement stops, however. If we are going to work through this phase of the maturing of IT security we must speak a common language derived from common conceptual frameworks.
The Common Vulnerability Scoring System (CVSS) was constructed as a Vulnerability Metric. However, there is no structural difference between CVSS and a generalized Risk Metric model. The types of information that go into both are the same and the behavior of CVSS is consistent with the model.
The products that my employer develops are all about buzzwords like Vulnerability, Compliance, and Risk. You will find these words and phrases all over the computer security field along with others, like Buffer Overflow, Malware, PUPS (potentially unwanted programs, meaning, stuff you probably don't want but if someone called it Malware someone could get sued), Data Loss Prevention, Host Intrusion Prevention System, SPAM, and Antivirus. Most folks are only really aware of one, Antivirus, and may think it means all of the above. :)