Primer on Security Metrics and their Pitfalls

A great primer on the utility and pitfalls of security metrics written by Vicente Aceituno:
It is not easy to find metrics for security goals like security, trust and confidence. The main reason is that security goals are “negative deliverables”. The absence of incidents for an extended period of time leads to think that we are safe. If you life in a town where neither you nor anyone you know has ever been robbed, you feel safe. Incidents prevented can’t be measured in the same way a positive deliverable can, like the temperature of a room.
Src: Security Metrics | Information Security Management Maturity Model Blog

No comments: