Home

Guide to Security Metrics SHIRLEY C. PAYNE DIRECTOR, IT SECURITY

Document Sample
Guide to Security Metrics SHIRLEY C. PAYNE DIRECTOR, IT SECURITY
Shared by: guy23
Categories
Tags
Stats
views:
125
posted:
1/10/2009
language:
English
pages:
30
UNIVERSITY OF WISCONSIN

L O C K D O W N 0 8 C O N F E R E N C E – J U L Y 2 3 RD, 2 0 0 8









Guide to Security Metrics

SHIRLEY C. PAYNE

DIRECTOR, IT SECURITY & POLICY

UNIVERSITY OF VIRGINIA

Agenda



 Metrics defined

 Value of security metrics

 State of security metrics today

 Underlying framework

 Steps for building a security metrics program

 Road to success

Measurements and metrics – same thing?



Measurements Metrics





 Provide single-point-  Derived by comparing

in-time views of two+ measurements

specific, discrete taken over time to a

factors predetermined baseline

 Generated by counting  Generated by analysis

 Objective raw data  Objective or subjective

human interpretations

of those data

The Mark of Good Metrics



Metrics should be SMART



Specific Well-defined, using unambiguous wording



Measurable Quantitative when feasible



Attainable Within budgetary and technical limitations



Repeatable Measurements from which metric is derived do not vary

depending on the person taking them.



Time-dependent Takes into consideration measurements from multiple

time slices









George Jelen, “SSE-CMM Security Metrics”

Truly Useful Metrics…



 Indicate the degree to which security goals are being

met

 Show linkage between security and institutional

goals

 Drive actions taken to improve the overall security

program

Rate These Metrics



 % of servers that are secure

 % of employees who are aware of security threats

 # of unauthorized accesses to sensitive data

 % of total IT budget spent on security

 Web application vulnerabilities found during July

2008 penetration test

The Value of Security Metrics



 They can:

 Discern the effectiveness of a particular component of a

security program

 Indicate the security of a specific system, product, or

process

 Identify the risk in not taking a given action and, thereby,

help prioritize corrective actions

 Provide evidence of regulatory compliance

 Raise the level of security awareness among executives

and other stakeholders

 Show contribution of security to meeting institutional

goals and objectives

The Value of Security Metrics



 They can also:

 Demonstrate the ability of security staff and departments

to address security issues for which they are responsible

 Influence is often data dependent

 Provide basis for security managers to answer tough

questions, such as

 Are we more secure today than we were before?

 How do we compare to others in this regard?

 Are we secure enough?



 Prove you deserve a raise!

State of Security Metrics Today

(or, why developing good metrics can be challenging)





How useful is this metric?



Reported data breaches increased sharply in the first six months of

2008, jumping 69 percent compared to the same period last year,

according to a study by the Identity Theft Resource Center (ITRC). But

the percentage of breaches occurring in the government sector has

dropped steadily in the past three years.

July 2, 2008

Consider These Facts



 Unlike private industry, governmental and

educational institutions have historically been quite

open about incidents that occurred.

 Increasingly, state laws are requiring both private

and public sector entities to report incidents.

 Organizations with poor security programs don’t

know when breaches occur.

 Impact of Incident A ≠ Impact of Incident B

How To Measure Risk?



Risk = Asset Value x Threat x Vulnerability



 Asset Value – easiest to measure in some cases, but

how to quantify assets like institutional reputation?

 Threat – very hard to measure the potential for

harm, although information from external sources

may be useful.

 Vulnerability – CIS benchmarks and output from

other tools provide good information, but not all

vulnerabilities can be quantified.

The State of Security Metrics Research



In the last few decades, Information Security has gained numerous

standards, industrial certifications, and risk analysis methodologies.

However, the field still lacks the strong, quantitative, measurement-

based assurance that we find in other fields.

Security looks different. Even a fairly sophisticated standard such as

ISO17799 has an intrinsically qualitative nature.

Furthermore, many recorded security incidents have a non-IT cause.

As a result, security requires a much wider notion of "system" than do

most other fields in computer science. In addition to the IT

infrastructure, the "system" in security includes users, work

processes, and organizational structures.





5/27/08 Call for papers – 4th International Workshop on Quality of Protection - Security Measurements and Metrics

Promising News



 EDUCAUSE/Internet 2 Security Task Force sub-

group on security metrics has been formed

 Goals are to provide:

 metrics that can be reported to management; and

 metrics that can be shared and compared across institutions.

 Currently working on defining operational, incident,

and compliance metrics. Others possibly to follow.

 Criteria for selecting metrics: automated, repeatable,

and quantitative

Building an Effective Metrics Program



 Leverage any existing process improvement

frameworks familiar to the organization. Examples:

 Six Sigma Breakthrough Strategy

 Highly visible tracking of standards compliance

 Tight linkage of department goals and objectives to those of

the overall institution

 Strong focus within institution on:

 ROI

 On time/on schedule project completion

 National rankings

 Etc.

Seven-Step Methodology



Define goal(s) and objectives



Decide what metrics to generate



Develop strategies for generation



Establish benchmarks and targets



Determine how to report



Create action plan



Review and refine

 Clearly state the end toward

which all metrics and

Step 1 measurements should be directed

Define the metrics

program goal(s) and  Indicate high level actions that

objectives

must be collectively accomplished

to meet the goal(s)

 Use existing process

improvement framework to

Step 2 determine metrics

Decide what metrics to EXAMPLE: In compliance-based framework, a

generate metric might be the degree of increase in ISO

17799 compliance since standard adopted, based

on audit findings.





 In the absence of or in addition to pre-

existing framework, use top-down or

bottom-up approach for determining

what metrics might be desirable

Top-down Approach



STEPS EXAMPLES



a. Define/list objectives of the overall To reduce the number of virus infections

security program within the institution by 30% by 2010







b. Identify metrics that would indicate Current ratio of viruses in the wild to

progress toward each objective actual infections as compared to the

baseline 2008 figure





c. Determine measurements needed for Number of virus in the wild as reported

each metric by abc external source



Number of virus infections detected

Bottom-up Approach



STEPS EXAMPLES



a. Identify measurements that are/could Monthly number of critical

be collected for this process vulnerabilities detected in servers using

xyz scanning tool





b. Determine metrics that could be Change in number of critical

generated from the measurements vulnerabilities detected in servers since

xyz scanning tool implemented





c. Determine the association between the To reduce the number of detectable

derived metrics and established vulnerabilities on servers by 95% by

objectives of the overall security program 2009.

 Identify sources of data

 IT groups (help desk, network

Step 3 engineers, application developers, ….)

 Auditors

Develop strategies for

generating the metrics  Training

 Emergency management



 Decide on frequency of data

collection

 Assign responsibility for assuring

accuracy of raw data

 Develop methods for compiling

data into measurements and

generating metrics

 Research observed trends and

recommendations from professional

associations, published research, etc.

Step 4

 Set reachable targets

Establish benchmarks

and targets

 Effective communication of

metrics is obviously key. Don’t

Step 5 over-simplify, but present clearly.

Determine how the

metrics will be reported  Vary what is reported and how

depending upon audience:

 Security manager and staff

 Department managers

 Executives



 Determine context, format,

frequency, distribution method,

and reporting responsibility

 Plan and conduct actions needed

to generate metrics; test and

Step 6 verify; implement

Create an action plan

and act on it

 Is there doubt about the accuracy

of some of the metrics?

Step 7

Establish a formal

 How much effort is required to

program review and generate the metrics? Are they

refinement cycle

worth it?

 Are there new security metric

standards and effective practices

to consider?

 And most importantly, have the

metrics guided improvement to

the overall security program?

Usefulness of a Given Metric Varies Depending Upon

Maturity of the Security Program









Procedures

and Controls

Procedures Integrated

Procedures and Controls

and Controls Tested

Procedures Implemented

Developed

Policies

Developed









NIST SP 800-26

Usefulness of a Given Metric Varies Depending Upon

Maturity of the Security Program









Procedures &

Controls

Procedures & Integrated

Controls

Tested

Procedures &

Controls

Implemented

Procedures

Developed





Policies Primary focus on efficiency and effectiveness metrics

Developed •Ex: # of detected unapproved storage of sensitive data on

desktops/laptops



Primary focus on implementation metrics

• Ex: sensitive data scanning tool deployed on all individual desktops/laptops





Useful metrics difficult to produce at this early stage; limited

availability of data and collection may be difficult

NIST SP 800-26

The Road To Success



 Gain executive level support

 Use only practical metrics, i.e. those that rely on data

that can be cost-effectively obtained and assumed to be

accurate

 Focus on quantifiable metrics

 Tailor presentation of metrics to the audience

 Ditch metrics that do not:

 demonstrate the degree to which goals and objectives of the overall

security program are being met; or

 identity new needs

 Keep the metrics program manageable – track just a few

per audience

And Most Of All…



 Keep your eyes on the forest, not the trees!

References



 EDUCAUSE Security Metrics Resources



 Guide for Developing Performance Metrics for Information Security

– NIST SP 800-80

 Security Metrics Guide for Information Technology Systems – NIST

SP 800-55 (see metrics examples in Appendix A)

 Berinato, Scott, “A Few Good Metrics,” CSOonline.com, July 1, 2005



 Campbell, George K., “How To Use Metrics,” CSOonline.com,

August 1, 2006.

 Hinson, Dr. Gary, “Seven Myths About Security Metrics,” ISSA

Journal, July 2006.

 Payne, Shirley C., “A Guide To Security Metrics,” SANS Reading

Room, July 11, 2001, updated June 19, 2006

Shirley C. Payne

payne@virginia.edu

(434) 924-4165


Share This Document

Embed
Email
Related docs
Guide to Security Metrics SHIRLEY C. PAYNE DIRECTOR, IT
Views: 378  |  Downloads: 10
Areas for Research in Security Metrics
Views: 42  |  Downloads: 5
Security Metrics for Communication Systems
Views: 15  |  Downloads: 1
CYBER SECURITY METRICS AND MEASURES
Views: 1  |  Downloads: 0
IT security
Views: 6  |  Downloads: 0
Information Security Presentation Guide
Views: 41  |  Downloads: 0
Guide to IT Security Services
Views: 54  |  Downloads: 6
A NOVEL SECURITY METRICS TAXONOMY FOR RD ORGANISATIONS
Views: 16  |  Downloads: 0
Computer Security Incident Handling Guide
Views: 17  |  Downloads: 0
CT ER On the Use of Security Metrics to
Views: 3  |  Downloads: 0
SECURITY
Views: 2  |  Downloads: 0
Security Agreement Template for a Security Firm
Views: 6  |  Downloads: 0
Security Metrics for Process Control Systems
Views: 117  |  Downloads: 1
Why Security Metrics
Views: 1  |  Downloads: 1
Other docs by guy23
Installation Guide for the eWorld Site system (bugojump)
Views: 1  |  Downloads: 0
INSTRUCTIONAL SPACE PROGRAMMING GUIDE REQUIREMENTS FOR STANDARD UNIVERSITY CONTROLLED CLASSROOMS
Views: 11  |  Downloads: 1
GUIDE FOR ORGANISATIONS HOSTING FEE MEETINGS A Purpose This Guide
Views: 14  |  Downloads: 0
Guide to Statistical Techniques
Views: 37  |  Downloads: 4
General Election Voter s Guide Early Voting Ballot Information Early
Views: 4  |  Downloads: 0
Guide for Identifying Mercury Switches Thermostats in Common Appliances Prepared
Views: 75  |  Downloads: 0
Incoterms ICC Guide to Incoterms Incoterms Multimedia Expert Incoterms Incoterms
Views: 1121  |  Downloads: 40
GUIDE TO NEW YORK STATE FINANCIAL REQUIREMENTS
Views: 13  |  Downloads: 0
Guide to Jefferson County Public Library s Online Magazines and
Views: 4  |  Downloads: 0
GEORGIA SOYBEAN PRODUCTION GUIDE TABLE OF CONTENTS Page SOYBEAN UPDATE
Views: 678  |  Downloads: 2
by registering with docstoc.com you agree to our
privacy policy
Close

You are almost ready to download!

close

You are almost ready to download!