Metrics

As usual, the purposefully provocative, belligerently blogging Mike Rothman has gone and done it again — aimed his treacly firehose at security metrics. Most recently, he’s waded into the post-fest on the subject, of which Amrit Williams, Rich Mogull, Pete Lindstrom and Alex Hutton have been willing participants.

Now, I recognize that Mike’s stock-in-trade is hyperbole. He generally tells you exactly what he thinks, albeit with some slight exaggeration to get people’s blood pumped up and their tongues wagging in reply. He wants spirited debate, and if it takes a little baiting to get it, he’ll do it.

Alrighty then. I’ll take that bait. Mike’s been kind enough to reference my ongoing security metrics work over the last few months, and has been egging me on (privately) to convince him exactly what it is about security metrics that I find so compelling. Why, in essence, would I spend time researching a topic that has (for him) so little obvious value?

This essay is adapted from “Chapter 2: Defining Security Metrics” of my forthcoming book, Security Metrics: Replacing Fear, Uncertainty and Doubt from Addison-Wesley and Symantec Press, expected in early 2007. Small portions of this appeared in “The Future Belongs to the Quants,” an IEEE article co-authored by me, Dan Geer and Kevin Soo Hoo.

Information security is one of the few management disciplines that has yet to submit itself to serious analytic scrutiny. In security, business leaders ask:

Earlier today I stumbled across the NIST patch management pub; it was released in November 2005.

There’s lots of goodness in this document. What I like best are the recommended program metrics, which I reprint here, lightly edited: