3. 1 - Background What is Information Security? What is Risk Management? Why do we need Security Measurements? Objectives: Understanding Security Evolution Measuring Security
4. 2- Security Evolution The Past A Technical Function Technical Security – Firewall, IDS, Access Control The Present An Assurance Function – mostly Risk Management Risk Management Process The Doughnut-Shaped Cycle The Future Metrics supplementing Risk Management
6. 2- Security Evolution Assessment Reporting Prioritization Mitigation Follow them, and you got risk management! Good for Vendors – Service charges at each cycle Unpleasant for Consumers – Never Clean
7. 2- Security Evolution The Problem: Captures the easy part (identification and fixing) Misses on the hard part (quantification and valuation of risk) Vendor tools are agnostic about the organizational context Real Risk Management should be identification, rating, mitigation, and above all, quantification ofthe risks Thus, today’s Risk Management = Identify + Fix
8. 2- Security Evolution FUD is the old-model (Past and Present) FEAR, UNCERTAINTY, and DOUBT (FUD) The FEAR of the catastrophic consequence of an information attack The UNCERTAINTY about Vulnerabilities The DOUBT about the sufficiency of existing controls Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?
9. 3 - Security Metrics Business Questions: Is my security better this year? What am I getting out of my security investment? How do I compare to my peers? Answers: Readily answered in other business context Silence and Embarrassment in security context Metric = “A system of measurement”
10. 3 - Security Metrics Good Metrics are: Consistently measured Cheap to gather Expressed as a cardinal number or percentage Expressed using at least one unit of measure Contextually specific
13. 4 – Measuring Technical SecurityCoverage and Control
14. 4 – Measuring Technical SecurityAvailability and Reliability
15. 5 – Measuring Security Program Frameworks: COBIT, ISO 2700X, NIST.. Security Program contains Controls Some Controls are also Processes Examples of Security Processes include: Risk Management Policy Development and Compliance Human Resource Security Human Education Incident Management Information Continuity Management
16. 5 – Measuring Security Program- Planning and Organization-
17. 5 – Measuring Security Program- Acquisition and Implementation -
18. 5 – Measuring Security Program- Delivery and Support -
19. 5 – Measuring Security Program- Delivery and Support -
20. 5 – Measuring Security Program- Monitor and Evaluate -
Information Security – The protection of critical Information / data, from its construction till destruction, irrelevant where it is located (Technology, Paper, Mind). It is more of a governance and management issue, rather then being only a technical issue. It is safe to say that Information Security is as subset of the risk management discipline. After all, they are the risks from which we need to protect the critical information assets. Risk Management – means taking deliberate action(s) to shift the odds/probability/chances in your favor – that is, increasing the odds of good outcomes and reducing the odds of bad outcomes. Example of car – Managing the risk of an accident. But, to change the odds, we have to know what the odds are, and we have to be able to detect how the odds change under our influence. To do this, we need security metrics.Define Security Metrics – Security Metrics are the servants of risk management, and risk management is about making decisions. Therefore, the only security metrics we are interested in are those that support decision making about risk.- Security measurement are not only required for improvement. It is a must to manage the risk… And this is where the traditional saying goes.‘ You cannot manage some thing that you cannot measure ‘.Security is one of the few area of management that does not possess a well-understood canon of techniques for measurement. In logistics, for example, metrics such as ‘freight cost per mile’ and ‘inventory warehouse turns’ help operators understand how efficiently are the trucking fleets and warehouses run. In finance we have ‘Value at Risk’. By contract, security has exactly nothing.