The Security Laugh Metric

Numbers are great, but here's a much simpler way to measure any organization's security sophistication

Individuals such as Pete Lindstrom and groups like securitymetrics have done a great job creating awareness of the need for security metrics. In fact, nearly a thousand security metrics can be found in the book Complete Guide to Security and Privacy Metrics

for those who are metrics obsessed.

Yet there is one security metric that I've never heard discussed - one that I've found to be both valuable and insightful, and can be calculated in moments; it is the laugh metric. The laugh metric indicates a manager's lack of understanding of risk when presented with a security issue. For example, when a reasonable security recommendation is followed by a loud laugh, expect that the manager is probably only mildly aware of their security risks. A guffaw indicates only a rudimentary understanding of risk. A belly laugh shows complete cluelessness. Conversely, the deathly silence and shocked look shows the sudden realization that the problem is indeed grave.

Laughter, at any level, is an excellent indicator of how much management is disconnected from information security. What I often find when conducting security audits is that the same management that has ensured that printer toner and coffee supplies are secured in a locked storeroom, are not the least bit concerned that their proprietary and confidential data rests unencrypted on their flat network. While management is not expected to know the intricacies of how to administer a firewall or similar security technology, they are undeniably responsible for due diligence around security and risk.

Another metric to use in conjunction with the laugh metric is the comparison metric. When a manager's laugh is followed by a comparison to some distant entity (usually a rhetorical statement like, "Who do you think we are, the Pentagon?"), it is likely that the client is equally clueless about their overall security environment.

These types of reactions usually emanate from small to medium-size businesses that think they are immune from security threats because they are too small to matter to both criminal and hobbyist attackers. The truth be told, most organizations have thousands of attackers looking to pillage their digital resources. If organizations truly believed their dogma of being immune to attacks, they would not lock up the toner.

The reality is that small to medium-size businesses are often at greater risk for attacks and data breaches given their overwhelmed and often inexperienced information security staff and unsophisticated infrastructure. A security staff of one is often expected to be responsible for every aspect of information security. An attacker who is unsuccessful accessing the millions of records on an Amazon or Wal-Mart database, might decide to settle for 20,000 records at a credit union or medical practice.

Those who laugh at security need to understand that they, like everyone else, are a target. Consequently, their organizations need to take information security as seriously as they take toner security.

Information security is no laughing matter. When security recommendations are laughed at, it is a sure confirmation that the something is amiss. Following the laugh up with an incredulous comment simply reinforces that finding.

The laugh metric, short, sweet, and devastatingly accurate. ##

Ben Rothke, CISSP, QSA, ( is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)


Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)