Questions tagged [metrics]

24 questions
14
votes
4 answers

How do you estimate the costs of a security breach?

I'm a student and fairly new to the IT security field. Most articles and books say you should only patch a vulnerability if the costs of a breach are higher than the costs of patching the vulnerability. However, I can't find any explanation that can…
StupidOne
  • 2,802
  • 21
  • 35
9
votes
4 answers

How to estimate the cost of an application vulnerability?

I've seen data on the cost of a breach including lot of surveys and research by Verizon and the Ponemon Institute. But in terms of an actual vulnerability, what are the factors to consider to determine the cost? Few things I had in mind are: Risk…
Epoch Win
  • 922
  • 2
  • 7
  • 14
8
votes
2 answers

Google Analytics on a secured site

Just read this article on Google Analytics and the risk of forged certificates, where it said: Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the…
Jordan Reiter
  • 201
  • 2
  • 5
7
votes
2 answers

What key metrics should a CIO rely on to gauge the extent of IT risk exposure?

Note - This was originally asked in another Area51 proposal, which has since been deleted.
AviD
  • 72,138
  • 22
  • 136
  • 218
6
votes
2 answers

Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data

I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…
jvff
  • 61
  • 1
  • 2
5
votes
1 answer

Can OSSTMM RAVs be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000?

The calculation of RAVs in OSSTMM seem very useful as a security metric but, can they be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000? ISO 27001:2013 risk assessment requirements are aligned with ISO…
kinunt
  • 2,759
  • 2
  • 23
  • 30
5
votes
3 answers

security performance criteria in employee reviews

Have any of you security professionals been able to get security performance metrics into reviews that managers conduct for their employees? If so, are there any helpful resources you could share to make that happen?
user35603
  • 71
  • 3
5
votes
2 answers

"Triage an incident"

I have been trying to find a definition of triage in relation to Information Security but cannot find any online. From the different examples given online (i.e. medical world), it seems related to determining the incidents priority/urgency and…
user92592
  • 544
  • 1
  • 5
  • 13
4
votes
2 answers

How do I measure compliance to Information security policies?

I work in an organisation with 3 levels as far as information security is concerned. I'm sitting at level two where we develop policies and also assist with the standards. One of the most difficult things which have come to light is how to measure…
Katlego M
  • 51
  • 8
3
votes
2 answers

security metrics on softwares developed

Thinking about software security metrics currently I've thought about the following software security metrics: number/type of CWE detected by developers (bug reporting) number/type of CWE detected by static analysis number/type of warning at…
boos
  • 1,066
  • 2
  • 10
  • 21
3
votes
2 answers

Commonly observed attack patterns modelled in Honeypot configurations

(Judging by voting and answers, I failed rather badly at asking a question that in my head was superbly clear. Clearly I was wrong. I've since attempted to rephrase the original question to more precisely reflect my original thought, and now with…
Christoffer
  • 1,030
  • 1
  • 6
  • 14
3
votes
2 answers

Why can't a Tor node simultaneously be a guard and an exit node?

By looking at probability graphs for nodes at metrics.torproject.org, it seems that exit nodes can't also be guards (they have 0.0000% probability of serving as guard) and vice versa. Why is that so?
2
votes
2 answers

What fraction of software bugs are vulnerabilities?

What fraction of software bugs are security vulnerabilities? Obviously, software bugs can be security vulnerabilities -- but also obviously, many software bugs have little or no security impact. Is there any data (or rules of thumb) on roughly…
D.W.
  • 98,420
  • 30
  • 267
  • 572
2
votes
1 answer

Gather system metrics securely from infected VM

I intend to train an RNN on snapshots of the VM metrics to classify malware. I will, therefore, run hundreds of different pieces of malware inside that VM. It has been isolated from my host (as best as I could/thought). What would be the best (most…
1
vote
2 answers

CVSS Temporal guidance

I've recently been given a set of guidance notes on CVSS; but the guidance isn't making sense. I've sent a query off, but got no response. So asking here. Say you have an exploit (can ignore base for now – but if you want to replicate, I’ve got:…
Amiga500
  • 142
  • 5
1
2