• ⇤
• ⇽
• ≡
• ⇾
• ⇥

at least five problems with security metrics

the journal of Michael Werneburg

twenty-seven years and one million words

Last year, I participated in a panel on "metrics that matter" at RSA. One of the memorable bits of feedback from an audience member is that we didn't answer the question of which metrics matter. Frankly, when it comes to information risk, it's a complex morass of non-obvious hazards.

Good ol' Dark Reading provides an article with a good description of four of the common problems in The Four Big Problems With Security Metrics. If I could add a fifth, it would be that I've never found a metric that can answer a President's most likely question, which would be, "So, we're secure?" or maybe, "Hey, are we doing something about this .. um.. APT thing?"