tag:blogger.com,1999:blog-7209707563895430269.comments2023-07-06T22:44:46.777+12:00Security MetametricsGaryhttp://www.blogger.com/profile/03271148849000325301noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-7209707563895430269.post-40297800904574095172018-02-01T18:39:01.101+13:002018-02-01T18:39:01.101+13:00Good information posted .Thanks for sharing inform...Good information posted .Thanks for sharing information.<br /><a href="https://www.igcexam.com/course/ISO-27001-Foundation" rel="nofollow">27001</a>Anonymoushttps://www.blogger.com/profile/04413580182744549506noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-26456578144720338882016-02-28T21:20:23.256+13:002016-02-28T21:20:23.256+13:00Absolutely, "Unknown"! There's plent...Absolutely, "Unknown"! There's plenty to think about.Garyhttps://www.blogger.com/profile/03271148849000325301noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-53036641710597555212016-02-28T06:22:35.392+13:002016-02-28T06:22:35.392+13:00Good and interesting analysis. At least they are a...Good and interesting analysis. At least they are actually thinking about metrics. What a concept.Unknownhttps://www.blogger.com/profile/13601970199268545092noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-85603980472603317952016-02-20T13:23:40.981+13:002016-02-20T13:23:40.981+13:00Right on the button, Cody. A lot of it is written ...Right on the button, Cody. A lot of it is written or spun by marketers, bandied about by journalists, and all too often becomes part of the folklore. Time for a few reality checks, I reckon.Garyhttps://www.blogger.com/profile/03271148849000325301noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-55199753242994703622016-02-20T10:57:59.280+13:002016-02-20T10:57:59.280+13:00It's exceedingly refreshing to see a critical ...It's exceedingly refreshing to see a critical evaluation of just about any of this stuff.Anonymoushttps://www.blogger.com/profile/15772370087365762800noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-1814399946772712342015-08-04T11:41:27.632+12:002015-08-04T11:41:27.632+12:00I saw an IBM report last year that really stood ou...I saw an IBM report last year that really stood out.<br /><br />The big headline, which was carried by the media, was that they found 1 in 500 machines were infected with "APT".<br /><br />Reading into the small print - they'd redefined all malware as APT so Zeus etc. was counted in that figure.shooflypiehttps://www.blogger.com/profile/06925882757010789490noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-92211085482045913512014-05-07T23:25:43.299+12:002014-05-07T23:25:43.299+12:00such a wonderful..!!! matrices of learning manag...such a wonderful..!!! matrices of <a href="http://www.simpletraining.com/security-awareness-training.html" rel="nofollow"> <b> learning management systems </b> </a> ..<br />Thanks for sharing..!!!<br /> Anonymoushttps://www.blogger.com/profile/00558126645859772491noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-85030271828938255842014-05-07T22:16:47.719+12:002014-05-07T22:16:47.719+12:00For identifying areas for improvement in their tec... For identifying areas for improvement in their techniques or the materials or the venue...The <a href="http://www.simpletraining.com/security-awareness-training.html" rel="nofollow"> <b> it security awareness programme </b> </a> is the best...<br />Thanks for sharing...!!!<br />Anonymoushttps://www.blogger.com/profile/00558126645859772491noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-32478942061086937202014-01-09T04:33:16.874+13:002014-01-09T04:33:16.874+13:00Also see “Our screening sacred cows” that discusse...Also see “Our screening sacred cows” that discusses a Guardian article earlier this week. <br />http://www.healthnewsreview.org/2014/01/our-screening-sacred-cows/Alanhttps://www.blogger.com/profile/17037612385781456745noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-65865203770437621722014-01-09T03:33:17.658+13:002014-01-09T03:33:17.658+13:00Couldn't agree more but these particular tests...Couldn't agree more but these particular tests are an easy target. Off-the-shelf DNA tests of the sort discussed in the NYT are particularly dodgy; however, practically all screening tests have limitations, are usually only appropriate for certain populations, and may be associated with serious harms. But screening tends to be widely and uncritically promoted in the media and by celebrities. There is little attention to the risks and trade-offs inherent in screening decisions. Doctors may also be unreliable guides because they themselves don't adequately understand the test, have conflicts of interest, or don't have the time to adequately counsel patients. And groups like the USPSTF that try to provide balanced information have often been vilified in the media, by politicians, and specialists with financial interests in screening. <br /><br />See for example:<br />Woloshin, Steven, and Lisa M Schwartz. “The Benefits and Harms of Mammography Screening: Understanding the Trade-offs.” JAMA: The Journal of the American Medical Association 303, no. 2 (January 13, 2010): 164–165. doi:10.1001/jama.2009.2007.<br /><br />Also see other works on medical risk and risk communication by the same authors and their colleagues at Dartmouth:<br />http://tdi.dartmouth.edu/initiatives/research/healthy-skepticism<br /><br />Alanhttps://www.blogger.com/profile/17037612385781456745noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-23650881645554244422013-02-01T03:32:47.809+13:002013-02-01T03:32:47.809+13:00Compliance when done for the right reasons can be ...Compliance when done for the right reasons can be seen as an ounce of prevention, although often is seen as a checklist and nothing more.<br /><br />Fines and penalties often are seen as the cost of business, whereas the system availability, or more specifically non-availability. Anonymoushttps://www.blogger.com/profile/11586391824215165559noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-62215959008323871122013-01-13T07:02:57.693+13:002013-01-13T07:02:57.693+13:00Thanks Alan. Buy it anywhere you can get it and b...Thanks Alan. Buy it anywhere you can get it and bring it with you next time we meet! Gary.Garyhttps://www.blogger.com/profile/03271148849000325301noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-82713263804458545672013-01-12T20:10:52.184+13:002013-01-12T20:10:52.184+13:00Congrats Gary & Krag.
Where do we get the copi...Congrats Gary & Krag.<br />Where do we get the copies signed by the authouree?AHhttps://www.blogger.com/profile/09284754174977757101noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-53107455845551638082012-07-04T03:57:30.018+12:002012-07-04T03:57:30.018+12:00Actually, I have been doing quite a bit of work i...Actually, I have been doing quite a bit of work in this area and you are correct that Industry Trends in spend such as collected by Gartner Reports are helpful but not a fair or complete story.<br /><br />The fairest budget metrics that I have seen so far are more in line with Activity Based Costing metrics. These describe the same activity across firms but account for the types and level of such activities inside each firm. <br /><br />Yet, as the to question of what spending should be there are several non-linear factors involved. The first two can easily fit into a fixed and variable cost model. What is the absolute floor level of information security that my paying customers must have? What is the level of security that attracts my paying customers to buy my product? <br /><br />Put cleanly in an ACME Corp example, what part of my security budget is part of the Cost of Goods Sold? What part is of that cost will convince the Legal Authorities that ACME uses due care in protecting its customers? What part of that cost makes my customer 10% more likely to buy my product than my competitor? <br /><br />InfoSec is not simply a Bottom Line cost avoidance strategy. It is also a top line market share gaining activity.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-44702934701215218652012-05-19T00:40:26.461+12:002012-05-19T00:40:26.461+12:00Vulnerabilities by themselves offer little insight...Vulnerabilities by themselves offer little insight without knowing viable threats, potential impacts and the extent of exposure. I think I would downgrade this metric in the Predictability, Meaningful, and Actionable scores. Fixing vulnerabilities that have little or no probability of exploit and/or little impact shoud be a pretty low priority.Unknownhttps://www.blogger.com/profile/13601970199268545092noreply@blogger.comtag:blogger.com,1999:blog-7209707563895430269.post-8880655759521760282012-04-16T11:41:44.239+12:002012-04-16T11:41:44.239+12:00An essential point - just can't laundry list a...An essential point - just can't laundry list a set of metrics and expect anything useful happening which may be best case. Worst case what is being measured is an artifact of something entirely different and irrelevant or actually counter to what is desired. Like the temperature gauge in a car - if there's no coolant in the system, it will read around zero which must mean its not overheating, right?<br />KragglesUnknownhttps://www.blogger.com/profile/13601970199268545092noreply@blogger.com