Comments
Is Your Security Program Effective? 7 Must-Ask Questions
Threaded  |  Newest First  |  Oldest First
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
1/8/2014 | 11:07:13 AM
Calibrate: Specialty based?
I'm intrigued by the concept of calibration training as a way to make people cognizant of their biases. Is this training based on specialty, such as security, or is it more general?
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:33:56 PM
Re: Calibrate: Specialty based?
Hi Lorna -- The concept of calibration is very general -- it's not specific to security at all. You can use calibration training to improve estimates of any uncertain quantity. For a great overview, check out Doug Hubbard's book, How to Measure Anything.
Xylogx
50%
50%
Xylogx,
User Rank: Apprentice
1/8/2014 | 3:45:22 PM
Re: Calibrate: Specialty based?
Two words: Black Swan
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/8/2014 | 3:51:34 PM
Re: Calibrate: Specialty based?
If you can afford to protect against a black swan scenario, I want to get to know you!
jlowder
100%
0%
jlowder,
User Rank: Apprentice
1/9/2014 | 6:14:53 PM
Re: Calibrate: Specialty based?
Xylogx -- How should an organization decide which information security controls to invest in and how much to invest? It seems to me that decision analysis, including information risk analysis and game theory, is the best option we have. As you point out, even the best risk management practices may fail to predict a "black swan" event. But, again, what is the alternative decision making method? The two words, "Black swan," don't help us answer that question. What those words do is this: they remind us that our methods for dealing with uncertainty are imperfect.

We still have to make decisions, including decisions about where to invest limited budget for information security programs. Risk analysis, imperfect as it may be, can help us to make better decisions than we would have made otherwise.
Laurianne
50%
50%
Laurianne,
User Rank: Author
1/8/2014 | 1:51:41 PM
Security Metrics
Jeff, thanks for sharing this detailed advice. Do you have any thoughts to share with readers on security ROI metrics that aren't working any more, that have outlived their usefulness? Thanks
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:39:50 PM
Re: Security Metrics
Hi Laurianne -- Thanks! The only metric that comes to mind is the Common Vulnerability Scoring System (CVSS) score. I'm a big fan of CVSS and want it to be successful, but the way it's implemented violates basic statistics by committing what's known as the base rate fallacy. In short, CVSS focuses on what we know about a sample (say, a vulnerability in a specific version of Apache) while completely ignoring what we know about the larger population (in this case, Apache software in general). The obvious way to fix CVSS, of course, is to factor base rates into the formula.


IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.