Industry View

The Security Laugh Metric

Numbers are great, but here's a much simpler way to measure any organization's security sophistication

By Ben Rothke

January 15, 2009 — CSO — Individuals such as Pete Lindstrom and groups like securitymetrics have done a great job creating awareness of the need for security metrics. In fact, nearly a thousand security metrics can be found in the book Complete Guide to Security and Privacy Metrics for those who are metrics obsessed.

Yet there is one security metric that I've never heard discussed - one that I've found to be both valuable and insightful, and can be calculated in moments; it is the laugh metric. The laugh metric indicates a manager's lack of understanding of risk when presented with a security issue. For example, when a reasonable security recommendation is followed by a loud laugh, expect that the manager is probably only mildly aware of their security risks. A guffaw indicates only a rudimentary understanding of risk. A belly laugh shows complete cluelessness. Conversely, the deathly silence and shocked look shows the sudden realization that the problem is indeed grave.

Laughter, at any level, is an excellent indicator of how much management is disconnected from information security. What I often find when conducting security audits is that the same management that has ensured that printer toner and coffee supplies are secured in a locked storeroom, are not the least bit concerned that their proprietary and confidential data rests unencrypted on their flat network. While management is not expected to know the intricacies of how to administer a firewall or similar security technology, they are undeniably responsible for due diligence around security and risk.

Another metric to use in conjunction with the laugh metric is the comparison metric. When a manager's laugh is followed by a comparison to some distant entity (usually a rhetorical statement like, "Who do you think we are, the Pentagon?"), it is likely that the client is equally clueless about their overall security environment.

These types of reactions usually emanate from small to medium-size businesses that think they are immune from security threats because they are too small to matter to both criminal and hobbyist attackers. The truth be told, most organizations have thousands of attackers looking to pillage their digital resources. If organizations truly believed their dogma of being immune to attacks, they would not lock up the toner.

The reality is that small to medium-size businesses are often at greater risk for attacks and data breaches given their overwhelmed and often inexperienced information security staff and unsophisticated infrastructure. A security staff of one is often expected to be responsible for every aspect of information security. An attacker who is unsuccessful accessing the millions of records on an Amazon or Wal-Mart database, might decide to settle for 20,000 records at a credit union or medical practice.

1 2 »

$firstKeyword

RESOURCE CENTER

buy a link »

E-GUIDE

Log Management in a Cyber World

With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.

» Read this eGuide

WHITE PAPER

Comparing Research in Motion and Microsoft Mobile Solutions

Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.