Information Security is a multi-faceted challenge. In the simplest of high level terms we often have to consider the people, policy and technology facets. Within those three facets, there are several layers of additional facets. For example, people have education and experience factors, cultural and organizational factors, and to make it even more fun there is the interplay between people, policies and technologies.
Technology facet can range from infrastructure to configuration integration and interconnectedness and everything in-between.
Of course, all of these are directly driven by the requirements within the given environment, such as privacy, confidentiality, availability and integrity. Each of these core requirements are all affected by sub-requirements or components such as authentication, authorization, accounting (auditing), encryption, vulnerability detection, change detection, malware and incident response among many others.
The depth of complexity and variability is one of the many reasons security experts throw their hands in the air and conclude that security is immeasurable. But when we step back a bit and scan the problem and organize it into sub-modules, we begin to understand a few basic principles:
1) There is deep multidimensional relationship between blocks.
2) We can deconstruct each block deeply enough to get to a set of measurable components
3) Some of the base components are best described by probabilistic metrics
4) Most security sub-component will not be describable using simple probability functions or distributions such as normal distribution or gaussian distribution.
So, accepting the inherent complexity essential to measuring security is a first step towards creating a framework for measuring cyber security for any organization or enterprise, but it si not the only one. We have to identify a mathematical framework that can help us design a metric or set of metrics that will meet a set of mathematical smell test:
i) repeatable - a real metric must be provide similar result for similar inputs, and follow a consistent and expected path given a set of criteria.
ii) commutative - there must be a function that enables us accumulate (increase or reduce) the value of the metric
iii) bounded - there must be a minimum and a maximum value.
Information security, when broken into it's composites, can be shown to meet each of these three criteria [see 1], and there exists functions that can be used to determine single or set of metrics (depending on our preference ) for overall security.
At the base component level, the value determined may provide some insight, but for enterprise value, a cumulative view off enterprise security is usually more helpful. A good transpose for security is risk. By determining the risk of an adverse incidence, we can calculate the converse. The aggregate risk will help us determine the aggregate security.
Because of the wide variety of components, and their interconnectedness, multivariate mathematics is an essential tool for measuring cyber security, and is one of the cornerstones of our security metrics practice at 6igma associates.
Technology facet can range from infrastructure to configuration integration and interconnectedness and everything in-between.
Of course, all of these are directly driven by the requirements within the given environment, such as privacy, confidentiality, availability and integrity. Each of these core requirements are all affected by sub-requirements or components such as authentication, authorization, accounting (auditing), encryption, vulnerability detection, change detection, malware and incident response among many others.
The depth of complexity and variability is one of the many reasons security experts throw their hands in the air and conclude that security is immeasurable. But when we step back a bit and scan the problem and organize it into sub-modules, we begin to understand a few basic principles:
1) There is deep multidimensional relationship between blocks.
2) We can deconstruct each block deeply enough to get to a set of measurable components
3) Some of the base components are best described by probabilistic metrics
4) Most security sub-component will not be describable using simple probability functions or distributions such as normal distribution or gaussian distribution.
So, accepting the inherent complexity essential to measuring security is a first step towards creating a framework for measuring cyber security for any organization or enterprise, but it si not the only one. We have to identify a mathematical framework that can help us design a metric or set of metrics that will meet a set of mathematical smell test:
i) repeatable - a real metric must be provide similar result for similar inputs, and follow a consistent and expected path given a set of criteria.
ii) commutative - there must be a function that enables us accumulate (increase or reduce) the value of the metric
iii) bounded - there must be a minimum and a maximum value.
Information security, when broken into it's composites, can be shown to meet each of these three criteria [see 1], and there exists functions that can be used to determine single or set of metrics (depending on our preference ) for overall security.
At the base component level, the value determined may provide some insight, but for enterprise value, a cumulative view off enterprise security is usually more helpful. A good transpose for security is risk. By determining the risk of an adverse incidence, we can calculate the converse. The aggregate risk will help us determine the aggregate security.
Because of the wide variety of components, and their interconnectedness, multivariate mathematics is an essential tool for measuring cyber security, and is one of the cornerstones of our security metrics practice at 6igma associates.
No comments:
Post a Comment