The InfoSec Blog

“Impact” is not a Metric

Posted by Anton Aylward

I never like to see the term 'impact'.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, 'impact' is a derived value - "the cost of the harm to an asset". The value of an asset can be treated as a primary metric, but how much it is "impacted" is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating 'risk' as if it were something tangible, never mind a metric!

Tagged as: , , , , , , , , , , , , , , Continue reading

Risk Analysis Makes No Sense … does it?

Posted by Anton Aylward

Shows the difference between systematic and un...
Image via Wikipedia

Take a look at this article.
http://www.zdnet.com/blog/security/security-engineering-broken-promises/6503

You're back?  What did you think of it?

OK, now look again, scroll down the section titled "Risk Management".  It picks up on a number of themes I've discussed and has this interesting observation:

Prioritization of security efforts is a prudent step, naturally. The problem is that when risk management is done strictly by the numbers, it does deceptively little to actually understand,  contain, and manage real-world problems. Instead, it introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work.

Guess what? No dice:

The author goes on to illustrate a number of ways that the approach we as the InfoSec community have preached and practised makes no sense.

Tagged as: , , , , , , , , , , Continue reading

Risk is Not a Primary Metric

Posted by Anton Aylward

"Risk" is not a primary metric.

What do I mean by that?
Primary metrics you can measure easily.
In physics they are things like length, weight, temperature, time-duration.
Secondary metrics most people can understand: rate of change that we call speed (length as distance and elapsed time).
Some secondary and many tertiary we can understand intellectually, but they have to be tabulated and calculated - acceleration.
Some such as ENTROPY still baffle people.

My experience with managers is that they often confuse risk for any number of things, not least of all simply equating risk to threats.

The again, I've met managers who would only commission a TVA if it was a contractual requirement, and then they might just ignore it, or if the contract required it, use it obsessively but with no actual understanding. BTDT.

What matters most to managers are things they can measure.

Filed under: Failures, Human Factors, Rants and Raves, Risk, Security Continue reading

The Classical Risk Equation

Posted by Anton Aylward

What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following


RISK is the
PROBABILITY that a
THREAT will exploit a
VULNERABILITY to cause harm to an
ASSET

R = f(T, V, A)

Why do you think they are called "TVAs"?

More sensibly the risk is the sum over all the various ..

This isn't just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can't do better that he has.

Tagged as: , , , , Continue reading
   

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

Recent Posts

Categories

Archives

Calendar of Posts

May 2010
M T W T F S S
« Mar   Jun »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Meta

Security Links