Risk Topics

at least five problems with security metrics


Last year, I participated in a panel on "metrics that matter" at RSA. One of the memorable bits of feedback from an audience member is that we didn't answer the question of which metrics matter. Frankly, when it comes to information risk, it's a complex morass of non-obvious hazards.

Good ol' Dark Reading provides an article with a good description of four of the common problems in The Four Big Problems With Security Metrics. If I could add a fifth, it would be that I've never found a metric that can answer a President's most likely question, which would be, "So, we're secure?" or maybe, "Hey, are we doing something about this .. um.. APT thing?"

© 2013 - 2019 werneburg information risk management inc.