Comments
Is Your Security Program Effective? 7 Must-Ask Questions
Newest First  |  Oldest First  |  Threaded View
jlowder
100%
0%
jlowder,
User Rank: Apprentice
1/9/2014 | 6:14:53 PM
Re: Calibrate: Specialty based?
Xylogx -- How should an organization decide which information security controls to invest in and how much to invest? It seems to me that decision analysis, including information risk analysis and game theory, is the best option we have. As you point out, even the best risk management practices may fail to predict a "black swan" event. But, again, what is the alternative decision making method? The two words, "Black swan," don't help us answer that question. What those words do is this: they remind us that our methods for dealing with uncertainty are imperfect.

We still have to make decisions, including decisions about where to invest limited budget for information security programs. Risk analysis, imperfect as it may be, can help us to make better decisions than we would have made otherwise.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/8/2014 | 3:51:34 PM
Re: Calibrate: Specialty based?
If you can afford to protect against a black swan scenario, I want to get to know you!
Xylogx
50%
50%
Xylogx,
User Rank: Apprentice
1/8/2014 | 3:45:22 PM
Re: Calibrate: Specialty based?
Two words: Black Swan
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:39:50 PM
Re: Security Metrics
Hi Laurianne -- Thanks! The only metric that comes to mind is the Common Vulnerability Scoring System (CVSS) score. I'm a big fan of CVSS and want it to be successful, but the way it's implemented violates basic statistics by committing what's known as the base rate fallacy. In short, CVSS focuses on what we know about a sample (say, a vulnerability in a specific version of Apache) while completely ignoring what we know about the larger population (in this case, Apache software in general). The obvious way to fix CVSS, of course, is to factor base rates into the formula.
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:33:56 PM
Re: Calibrate: Specialty based?
Hi Lorna -- The concept of calibration is very general -- it's not specific to security at all. You can use calibration training to improve estimates of any uncertain quantity. For a great overview, check out Doug Hubbard's book, How to Measure Anything.
Laurianne
50%
50%
Laurianne,
User Rank: Author
1/8/2014 | 1:51:41 PM
Security Metrics
Jeff, thanks for sharing this detailed advice. Do you have any thoughts to share with readers on security ROI metrics that aren't working any more, that have outlived their usefulness? Thanks
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
1/8/2014 | 11:07:13 AM
Calibrate: Specialty based?
I'm intrigued by the concept of calibration training as a way to make people cognizant of their biases. Is this training based on specialty, such as security, or is it more general?


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.