Highest Voted 'metrics' Questions - IT Security Stack Exchange

14

votes

4 answers

How do you estimate the costs of a security breach?

I'm a student and fairly new to the IT security field. Most articles and books say you should only patch a vulnerability if the costs of a breach are higher than the costs of patching the vulnerability. However, I can't find any explanation that can…

risk-management metrics

asked Feb 09 '11 at 11:44

StupidOne

2,802
21
35

9

votes

4 answers

How to estimate the cost of an application vulnerability?

I've seen data on the cost of a breach including lot of surveys and research by Verizon and the Ponemon Institute. But in terms of an actual vulnerability, what are the factors to consider to determine the cost? Few things I had in mind are: Risk…

risk-management metrics budget

asked Jul 02 '13 at 20:06

Epoch Win

922
2
7
14

8

votes

2 answers

Google Analytics on a secured site

Just read this article on Google Analytics and the risk of forged certificates, where it said: Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the…

web-application tls logging metrics

asked Mar 21 '12 at 20:33

Jordan Reiter

201
2
5

7

votes

2 answers

What key metrics should a CIO rely on to gauge the extent of IT risk exposure?

Note - This was originally asked in another Area51 proposal, which has since been deleted.

business-risk risk-management metrics

asked Nov 17 '10 at 01:17

AviD

72,138
22
136
218

6

votes

2 answers

Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data

I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…

risk-analysis metrics risk exposure

asked Dec 11 '11 at 23:43

jvff

61
1
2

5

votes

1 answer

Can OSSTMM RAVs be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000?

The calculation of RAVs in OSSTMM seem very useful as a security metric but, can they be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000? ISO 27001:2013 risk assessment requirements are aligned with ISO…

risk-management metrics iso27001

asked Apr 28 '14 at 16:22

kinunt

2,759
2
23
30

5

votes

3 answers

security performance criteria in employee reviews

Have any of you security professionals been able to get security performance metrics into reviews that managers conduct for their employees? If so, are there any helpful resources you could share to make that happen?

corporate-policy people-management metrics

asked Dec 12 '13 at 23:55

user35603

71
3

5

votes

2 answers

"Triage an incident"

I have been trying to find a definition of triage in relation to Information Security but cannot find any online. From the different examples given online (i.e. medical world), it seems related to determining the incidents priority/urgency and…

metrics information-gathering

asked Mar 14 '16 at 13:04

user92592

544
1
5
13

4

votes

2 answers

How do I measure compliance to Information security policies?

I work in an organisation with 3 levels as far as information security is concerned. I'm sitting at level two where we develop policies and also assist with the standards. One of the most difficult things which have come to light is how to measure…

compliance standards metrics

asked Sep 19 '18 at 12:48

Katlego M

51
8

3

votes

2 answers

security metrics on softwares developed

Thinking about software security metrics currently I've thought about the following software security metrics: number/type of CWE detected by developers (bug reporting) number/type of CWE detected by static analysis number/type of warning at…

risk-management risk-analysis secure-coding metrics

asked Jun 11 '14 at 15:04

boos

1,066
2
10
21

3

votes

2 answers

Commonly observed attack patterns modelled in Honeypot configurations

(Judging by voting and answers, I failed rather badly at asking a question that in my head was superbly clear. Clearly I was wrong. I've since attempted to rephrase the original question to more precisely reflect my original thought, and now with…

metrics

asked May 16 '13 at 14:35

Christoffer

1,030
1
6
14

3

votes

2 answers

Why can't a Tor node simultaneously be a guard and an exit node?

By looking at probability graphs for nodes at metrics.torproject.org, it seems that exit nodes can't also be guards (they have 0.0000% probability of serving as guard) and vice versa. Why is that so?

tor metrics

asked Dec 30 '18 at 12:43

white_poppy

31
2

2

votes

2 answers

What fraction of software bugs are vulnerabilities?

What fraction of software bugs are security vulnerabilities? Obviously, software bugs can be security vulnerabilities -- but also obviously, many software bugs have little or no security impact. Is there any data (or rules of thumb) on roughly…

appsec statistics metrics

asked Jun 22 '13 at 07:25

D.W.

98,420
30
267
572

2

votes

1 answer

Gather system metrics securely from infected VM

I intend to train an RNN on snapshots of the VM metrics to classify malware. I will, therefore, run hundreds of different pieces of malware inside that VM. It has been isolated from my host (as best as I could/thought). What would be the best (most…

virtualization windows-10 metrics

asked Jul 30 '19 at 19:16

Cobalt Scales

123
9

1

vote

2 answers

CVSS Temporal guidance

I've recently been given a set of guidance notes on CVSS; but the guidance isn't making sense. I've sent a query off, but got no response. So asking here. Say you have an exploit (can ignore base for now – but if you want to replicate, I’ve got:…

cvss metrics

asked Nov 04 '21 at 17:51

Amiga500

142
5

Questions tagged [metrics]