Unconventional Security Metrics & Marginal Analysis
0 likes111 views
The document discusses the inadequacies of traditional security metrics and advocates for unconventional metrics that focus on proactive security measures. It emphasizes the importance of transparency, local conditions, and employee engagement in assessing security effectiveness. Additionally, the author highlights the need for ongoing evaluation and adjustments in security programs to minimize risks through a concept referred to as marginal analysis.
Unconventional Security Metrics & Marginal Analysis
- 2. 2 • Disgruntlement mitigation. Percentage of the time when managers and HR are aware of allegations of an unfair or hostile work environment (bully bosses, coercion, sexual or racial harassment, etc.) that they take positive actions, and do not retaliate against the alleged victims. While disgruntlement is only one of many motivators for inside attacks, it is one of the easiest to counter. A related metric is the number of times that the organization’s grievance and employee assistance programs are used. They will only be used frequently if employees view them as safe, effective, and legitimate. Perception is everything. • Employee turnover rates for both security and non-security personnel. This is closely related to the insider threat. • Frequency of formal and informal communication between security personnel (including low-level personnel) and non-security employees and contractors. Security by “walking around” is an effective strategy. • Resiliency preparation. Prevention is difficult. A good security program needs to be ready in advance to lead recovery after a serious security incident, including tampering, hacking, and counterfeiting. • Amount of “What Ifs?” How often do employees and security personnel mentally or physically rehearse possible security incidents, and how often are novel incidents considered? Even wildly implausible scenarios get people thinking creatively about security! • Frequency of formal and informal vulnerability assessments, number of ongoing vulnerabilities and potential countermeasures identified, and number of suggestions for security improvements, including from low-level personnel and non-security employees. (It is important to realize that vulnerability assessments are not the same thing as threat assessments, security surveys, performance testing, “Red Teaming”, pen(etration) testing, or compliance auditing—though these things are worth doing and can shed some light on vulnerabilities.) • Number of security changes recently introduced. This leads us to the idea of “Marginal Analysis”. (In mathematics and economics, “marginal” means rate of change.) Now securing even a medium-sized enterprise or facility is a very complex minimization problem. Risk needs to be minimized while considering hundreds of different security parameters (variables) involving security personnel, technologies, spatial and temporal deployment of resources, possible security strategies, assets to be protected, threats, vulnerabilities, training, etc. This is very much like a classic minimization problem in N- dimensional space, where N is quite large.