Time for New Security Metrics
How do you estimate a security measure to decide whether or not to invest in it? In traditional risk management, it's a matter of calculating annualized loss expectancy (ALE). If that is a term that wasn't cooked up by non-security professionals, I don't know what is. It's a rationalized, abstract measure but it's basically the best we have and it isn't good enough.
Bruce Schneier in ComputerWorld debunks the idea that ALE is a reasoned way to make security investment decisions without some precautions. The problem we all know when you try to use ALE is that you need data on how frequently events occur. We might have good measures on how often viruses spread in a network or how often a DoS attack is launched against you, but we don't know how many times a data has been stolen, undetected, from a database.
Schneier argues ALE isn't worthless but you have to be careful with the numbers. That doesn't solve the problem though. We need a better metric that is more a function of the value of the assets you are protecting, which we can quantify. Measuring external threats are too difficult to measure and too dynamic. We can't assume that the the threats at the beginning of the fiscal year are the same threats at the same level at the end of the fiscal year.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
