NIST recently released an overview report on the current state of research in security metrics (short story: there are almost none), and some areas where they feel more research is warranted. One of the problems with security as a business process is that managers are being taught process improvements is the way to save money, but with security, there are no obvious metrics to measure to improve the process. Security is subjective, based on the person and the situation, and measurements tend to the objective side of things.

I think that seeing new measurements is really going to improve the overall security landscape – once they’re accepted and used. NIST and the Feds already kind of lead the way with FIPS and Common Criteria (European based), and I think that if they start using a particular metric, the commercial world will follow. One of the detriments to security metrics is that until the last few years, it hasn’t been well studied in universities – the “hotbeds” of research. I think that now we may start to see more metrics coming out as more graduate students start to study it. And if you happen to be a current grad student interested in security metrics, the NIST paper has some great starting points for a thesis.

This entry was posted on Wednesday, September 16th, 2009 at 5:21 am by Laura Raderman and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.