My earlier post is being debated on the private Security Metrics mailing list. I posted the following tonight:
Chris Walsh wrote:
> It's time for a Marines vs. Air Force slapdown!
I should have anticipated that someone on this list would read my blog!
I do not agree with all of Donn's points, and I state in my post some
of his ideas are weak. I would prefer Donn defend himself in person.
However, I am going to stand by this statement:
"As security professionals I agree we are trying to reduce risk, but
trying to measure it is a waste of time."
I agree with Donn that a risk measurement approach has not made us
more secure. That does not mean nothing can be measured. It also
does not mean that measurements are worthless.
Removing the double negatives, I am saying that some things can be
measured, and measurements can be worthwhile.
Rather than spending resources measuring risk, I would prefer to see
measurements like the following:
1. Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
Note this measurement contains variables affecting the time to
successfully compromise the asset.
2. Time for a target's intrusion detection team to identify said
intruder (pen tester), and escalate incident details to the incident
3. Time for a target's incident response team to contain and remove
said intruder, and reconstitute the asset.
These are the operational sorts of problems that matter in the real
world. These are only three small ideas -- not a comprehensive
approach to the problem set.
PS: Go Air Force. :)