Security Metric of the Week #28: Benford’s law

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

Benford’s law is a fascinating theorem in number theory with applications in information security, accountancy, engineering, computer audit and other fields.

Benford’s law predicts the distribution of initial digits on numbers in numeric data sets generated in an unbiased and unconstrained fashion. In short, roughly a third of such multi-digit numbers start with a 1, whereas only one twentieth start with a 9. If someone (such as a fraudster) or something (such as a rogue or buggy computer application) has been manipulating or fabricating data, the numbers tend not to have leading digits with the predicted frequencies. Turning that on its head, if we compare the actual against predicted distributions of leading digits in a data set, significant discrepancies probably indicate something strange, and possibly something untoward going on: we would have to dig deeper to determine the real cause.

Download Security Metric of the Week #28: Benford's law (PDF)

Security Metric of the Week #27: Number of times that assets were accessed without authentication or validation

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

This candidate metric immediately begs questions such as would you know:

  • When assets are accessed? Certain accesses to some IT systems, databases, applications, data files etc. may well be monitored and logged routinely, but probably not all of them, and certainly not when it comes to non-IT information assets such as paperwork and intangible knowledge.
  • Who or what was accessing them? If someone is able to access assets indirectly through a separate computer system, network connection or third party, how would you know this was taking place? What if the access was entirely automated e.g. a scheduled backup process: does that count as an access event?
  • Whether the access attempts were successful or unsuccessful? The metric is ambiguous on whether it counts access attempts and/or access events.
  • Whether they were ‘authenticated’? Often, people are presumed to have been authenticated previously purely by dint of being in a certain place (e.g. an employee on site in the office) but what if the presumption is false (e.g. an office intruder or visitor)?
  • Whether they were ‘validated’? ‘Validation’ seems a curious term in this context. Precisely what is being validated, and on what basis?

Download Security Metric of the Week #27: Number of times that assets were accessed without authentication or validation (PDF)

Security Metric of the Week #25: proportion of critical information assets residing on fully compliant systems

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

In order to measure this metric, someone has to:

  1. Identify the organization’s critical information assets unambiguously;
  2. Determine or clarify the compliance obligations;
  3. Assess the compliance of systems containing critical information assets.

All three activities are easier said than done. In our experience, the concepts behind this metric tend to make most sense in those military and governmental organizations that make extensive use of information classification, but even there the complexities involved in measuring compliance with a useful amount of accuracy would make it slow and expensive. Consequently, the low Accuracy, Cost and Timeliness scores all take their toll on the metric’s PRAGMATIC score.

 

Download Security Metric of the Week #25: proportion of critical information assets residing on fully compliant systems (PDF)

Security Metric of the Week #23: Business Continuity Management (BCM) Maturity

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

The high PRAGMATIC score for this week’s metric shows that we consider it a valuable measure of an organization’s business continuity management practices:

P

R

A

G

M

A

T

I

C

Score

90

95

70

80

90

85

90

87

90

86%

This metric is designed on exactly the same lines as the HR security maturity metric, SMotW #15, using a maturity scoring table with predefined criteria for various aspects of business continuity management indicating various levels of maturity.

Download Security Metric of the Week #23: Business Continuity Management (BCM) Maturity (PDF)

Security Metric of the Week #22: Internal Rate of Return

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

IRR is one of a number of financial metrics in our collection. IRR measures the projected profitability of an investment, a proposed security implementation project for example. If the IRR is greater than the organization’s cost of capital, the project may be worth pursuing (unless there are limited funds available, and other proposals with even higher IRR or intangible benefits).

Download Security Metric of the Week #22: Internal Rate of Return (PDF)

Security Metric of the Week #21: proportion of information assets not marked with the correct classification

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

There are three key assumptions underlying this week’s Security Metric of the Week:

  1. The meaning of “information asset” is clear to all involved;
  2. There are suitable policies and procedures in place concerning how to risk-assess and classify information assets correctly;
  3. The metricator (person gathering/analyzing the data for the metric) is able to tell whether or not a given information asset is (a) correctly classified and (b) correctly marked.

Part of the concern about the meaning of “information asset” is the determination of what should be assessed and marked: should we classify the filing cabinet, the drawers, the files, the documents or the individual pages? In some cases, it may be appropriate to classify them all, but there are practical limits in both the micro and macro directions. The wording of the policies, procedures, examples etc. can make a big difference.

Download Security Metric of the Week #21: proportion of information assets not marked with the correct classification (PDF)

Security Metric of the Week #19: rate of change in employee turnover and/or absenteeism

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

In most organizations, employee turnover rumbles along at a ‘normal’ rate most of the time, due to the routine churn of people joining and leaving the organization. Likewise, there is a ‘normal’ rate of absenteeism, due to sickness, holidays/leave and unexplained absences. Big changes (especially sudden increases) in either set of numbers suggest the possibility that information security risks associated with disaffected or malicious employees might6 have substantially increased, in other words increased turnover and absenteeism may be indicators of a discontented workforce voting with their feet, or indeed of management sacking loads of employees.

Download Security Metric of the Week #19: rate of change in employee turnover and/or absenteeism (PDF)

Security Metric of the Week #18: information security expenditure

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

At first glance, this metric looks like it would be ideal for those managers who are obsessed with costs. “Just how much are we spending on security?” they ask, followed shortly no doubt by “Do we really need to spend that much?” OK, let’s go with the flow and try to get them the figures they crave.

Download Security Metric of the Week #18: information security expenditure (PDF)

Security Metric of the Week #17: number and severity of audit findings

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

Our latest ‘security metric of the week’ builds on the following premises. Firstly, the number and severity of audit findings bears some relationship to the state or maturity of the organization’s governance, risk, compliance and security arrangements, along with the number, quality, scope and depth of the audits. Secondly, since audits are invariably independent and formal, the number of audit findings is an objective, cheap and easy-to-obtain measure, as is the ‘severity’ (or gravity or importance) provided findings are routinely rated/classified by the auditors, which they usually are. The severity of audit findings also helps focus management attention on the issues that really matter.

Download Security Metric of the Week #17: number and severity of audit findings (PDF)

Security Metric of the Week #16: Number of security policy noncompliance infractions detected

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

The extent to which employees comply with the organization’s security policies sounds like the kind of thing that management might want to track and, where appropriate, improve. This week’s metric is a typical, if rather naive attempt to measure policy compliance … by counting noncompliance incidents.

Download Security Metric of the Week #16: (PDF)

Security Metric of the Quarter #2

Krag Brotby, CISM, CGEIT
Gary Hinson, PhD, MBA, CISSP

It has been a good quarter in the sense that several of the example metrics we have discussed have scored substantially higher than our first Security Metric of the Quarter, Discrepancies between physical location and logical access location. With the highest PRAGMATIC score of all the metrics we have reviewed in the past three months, we are proud to announce that our second Security Metric of the Quarter is …

Download Security Metric of the Quarter #2 (PDF)

A Futuristic Look at Cloud Computing Security

E. Eugene Schultz, Ph.D., CISSP, CISM

The term ―cloud computing‖ means different things to different individuals, and cloud computing is by no means new. Despite confusion and misconceptions related to cloud computing, this type of computing is currently immensely popular and is being used to substantially reduce the financial cost and complexity of computing, as well as for other reasons. Cloud service providers (CSPs) offer three basic types of services: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Although cloud services offer many benefits, they are also beset with security risks, the most serious of which currently are inadequate security for data stored in the cloud, restricted ability to conduct adequate audits in cloud environment, and unavailability of cloud services.

Download A Futuristic Look at Cloud Computing Security (PDF)

Myths about Password Settings and Other Nonsense: How Information Security Tortures Users in the Name of Security

E. Eugene Schultz, Ph.D., CISSP, CISM

Typical organizations have information security standards that require a certain password length, password expiration every 30 to 90 days, password complexity, and more. Information security staff members who routinely prescribe these settings might believe that their organization is meeting ―best practice‖standards. Research on password settings over the past years, however, suggests that many widely accepted and used settings do not help security appreciably. Instead, many of these settings not only inconvenience users, but in many cases make them less able to remember their passwords. The problem is not limited to passwords, either. Third-party authentication and other technology designed to improve security too often are not at all user friendly. This paper discusses how information security tortures users in the name of security and suggests solutions.

Download Myths about Password Settings and Other Nonsense (PDF)

The Rootkit Epidemic

E. Eugene Schultz, Ph.D., CISSP, CISM

Malicious code (also called malware) has become increasingly sophisticated since the time the first virus surfaced in the wild around 1980. Malware such as viruses and worms attack are troublesome, yet they are generally easy to detect and eradicate once they infect a system. Viruses and worms also largely (but not exclusively) target Windows systems, largely leaving other types of systems alone. Other types of malware started to pose a proportionately greater degree of security threat several years ago when the allure and utility of writing and releasing viruses and worms started to fade because malware writers started to deploy more surreptitious malware because they become increasingly motivated by financial gain (SCHU06). Rootkits, in contrast, are designed to help attackers escape being noticed; they have, therefore, in particular proven much more troublesome than other types of malicious code. Rootkits are becoming so prevalent that to refer to the rootkit problem as an ―epidemic‖ is becoming increasingly appropriate. This paper defines rootkits, explains how they work, explicates why they are likely to become even more prevalent, and wrestles with the issue of whether the war against rootkits will ever be won and if so, how.

Download The Rootkit Epidemic (PDF)

Research on Usability in Information Security

E. Eugene Schultz, Ph.D., CISSP, CISM

Usability engineering, often also called human factors engineering, focuses on optimizing the interaction between humans and the tasks they perform. Given the long-recognized importance of usability engineering in areas such as human-computer interaction, it is easy to assume that a plethora of research on the relationship between usability and information security exists. Strangely, the opposite is the case. Although numerous authors have argued for the need to pay more attention to usability considerations in information security, relatively few papers presenting research results on the relationship between usability and information security have been published. This paper covers several key research papers on this topic.

Download Research on Usability in Information Security (PDF)