Information Technology Reference
In-Depth Information
Security does not have an inherent or intrinsic value. There is no way to look at
an IA service or an IA mechanism and say we can measure that to be 42
risk
ometers.
We may count the number of IA mechanisms (e.g., quantity of firewalls). We may
impose service levels on the security operations center (e.g., respond to incidents
within X minutes). Absent inherent value, we can impose an artificial measure that
represents reality and has meaning to the enterprise. For artificial measures to have
meaning, they must be consistently applied from person to person and operation to
operation using a uniform, repeatable process.
The relevance of metrics and measures is defined by the group that uses them.
Operations is more interested in performance metrics such as service level agreements
(SLAs) (e.g., uptime of a mechanism, successful blocks of spam). Executives are more
interested in the monetary terms of ROI. Management is more interested in terms of
delivery schedules and annual budgets. Legal is more interested in legislative compli-
ance levels. All of these offer opportunity for IA quantification. The following sec-
tions present an IAQF as a framework of what to look for, and an IAQP as a process
that will help you identify IA quantification opportunities and actually quantify IA.
4.2
objecties
The objectives of this chapter are to introduce the following:
n
n
IA
2
quantiication framework
IA
2
quantification process
At the end of this chapter, you should be able to use a disciplined approach to
identify potential manners to quantify IA.
4.3
iA Quantification Framework (iAQF)
Quantifying information assurance is a nontrivial endeavor. There are no intrinsic
values to IA; any values associated with IA are representative of operational condi-
tions, performance levels, and threat space, or represent stakeholder terms (dollars,
public safety, etc.). Many IA aspects are measurable. The challenge is to find them,
impose a measurement process, and report them in manner that has meaning to
the organization. Each of the following four perspectives provides opportunities for
IA quantification:
n
n
n
n
Stakeholder
Asset/target
Vulnerability
hreat
