March 30, 2006
At this year’s RSA show, a decent portion of the securitymetrics mailing list (about 30 people) convened for lunch. I enjoyed meeting my colleagues immensely, and I received good feedback from others who attended.
One thing everyone agreed on is there is enough activity in the security metrics area to merit convening the group a bit more formally. Thus, I am pleased to announce Metricon 1.0, the first-ever convention devoted exclusively to security metrics.
...
March 4, 2006
The following provides information on techniques for aggregating, refining, and reporting security metrics. Fair game for this page includes technologies for gathering and transforming raw data, generating reports, and creating security dashboards.
Security Metrics Guide for Information Technology Systems, Swanson M, Bartol N, Sabato J, Hash J, & Graffo L, Security Metrics Guide for Information Technology Systems, NIST Special Publication 800-55 (Washington, DC: National Institutes of Standards and Technology, 2003), 99 pp, PDF.
...
December 2, 2004
No consensus exists on what security metrics should be used for measuring security effectiveness. This page documents commentary on metrics definitions from external sources.
Metrics Definitions # The Robert Frances Group recently reported in CSO magazine that the companies it surveyed used these metrics definitions:
Click on the link above to see the full article.
August 25, 2004
This page includes links to research that attempts to model security phenonema mathematically.
Cascade control in complex networks, Motter AE, Max Planck Institute, report #mpi-pks/0312006, 4pp, 10 July 2004, PDF.
Complex networks with a skewed distribution of loads may undergo a global cascade of overload failures when key elements of the network are attacked or removed. Since a small shock has potential to trigger a global cascade, a fundamental question regards the possible mechanisms of defense.
...
August 25, 2004
This section includes links to studies and research measuring current security practices. The topics may (or may not) be related to security economics. Fair game includes end-user policies and practice, password effectiveness, patch management, and other subjects that lend themselves to controlled studies.
End-User Security # The Memorability and Security of Passwords – Some Empirical Results, Yan J, Blackwell A, Anderson R, & Grant A, June 2004.
Ross Anderson and colleagues from Cambridge University have released an empiricial study of password effectiveness measuring the relative effectiveness of simple, random, and mnemonic passwords.
...