Metrics
Squinting at Security Drivers and Perspective-based Biases
While doing some thinking on threat modelling I started examining what the usual drivers of security spend and controls are in an organisation. I’ve spent some time on multiple fronts, security management (been audited, had CIOs push for priorities), security auditing (followed workpapers and audit plans), pentesting (broke in however we could) and security consulting (tried to help people fix stuff) and even dabbled with trying to sell some security…
Metricon 2011 Summary
[I originally wrote this blog entry on the plane returning from BlackHat, Defcon & Metricon, but forgot to publish it. I think the content is still interesting, so, sorry for the late entry :)] I’ve just returned after a 31hr transit from our annual US trip. Vegas, training, Blackhat & Defcon were great, it was good to see friends we only get to see a few times a year, and make…
Incorporating cost into appsec metrics for organisations
A longish post, but this wasn’t going to fit into 140 characters. This is an argument pertaining to security metrics, with a statement that using pure vulnerability count-based metrics to talk about an organisation’s application (in)security is insufficient, and suggests an alternative approach. Comments welcome. Metrics and statistics are certainly interesting (none of those are infosec links). Within our industry, Verizon’s Data Breach Investigations Report (DBIR) makes a splash each…
Page 1 of 1