The InfoSec Blog
28May/10

“Impact” is not a Metric

I never like to see the term 'impact'.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, 'impact' is a derived value - "the cost of the harm to an asset". The value of an asset can be treated as a primary metric, but how much it is "impacted" is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating 'risk' as if it were something tangible, never mind a metric!

Its not. It should be treated as just two things:

  1. A means of prioritising
    Higher risk items should be addressed first and most-est.If we just consider 'impact' then things like meter strikes and
    the sun going nova get the effort and things like car safety,
    sanitation, growing food get short changed.
  2. A means of measuring resultsI've admitted that the CRE doesn't deal with controls.
    It doesn't help you choose controls or evaluate which will
    be more effective, but the end result, re-running your RA,
    will show the probability of the exploit has changed.


I'd also like to point out that IT's view of business goals may be different from marketing's, different from operations', different from the president's. And those groups may themselves not even have a clear and succinct expression of goals.

To my mind, discussing 'business goals' in this context is pretentious.

Talking about "impact" in the same sentence as "probability leads to to confusion between low impact high probability events and high impact low probability events. Some people seem to think that is is artificial and absurd. No its not. Death by a "thousand duck-bites" and death by being it by a meteorite is still death. One is dramatic and instant the other is gradual. We are evolutionarily conditioned to deal with the big events.

Emotionally its absurd yes, factually its not. That why we need the discipline of process and not to go by emotion.

I've quoted a number of times that in the appropriate years, the mortality rate on America's roads exceeded that of serving in Vietnam. But Vietnam got more publicity and more emotional engagement for the masses. But if your family was one affected by a death, does it matter
whether its on the road or in a distant country?

Roads are dangerous.
In the aftermath of 9/11 people in the USA decided to drive cross country rather than fly. That is an emotional reaction, one that actually increases the risk. The stats are in for the following two years and show that the annual increased death rate on the roads each year exceeded the mortality rate on 9/11. But which gets the publicity.

Sorry, I go by the numbers.

I'd suggest reading the books "The Unthinkable" and "Against the Gods: The Story of Risk"

Enhanced by Zemanta

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.