The 5 best malware metrics you can generate

Are you asking the right computer security questions? If you can answer these five, you'll know better how to secure your organization.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

One of my favorite quotes from Albert Einstein goes:

If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question I could solve the problem in less than 5 minutes.”—Albert Einstein

A big problem in the computer security world is that practitioners aren’t skeptical enough, don’t question purported authority statements, and often don’t ask the right questions. It’s a theme I see over and over, and it leads defenders to enacting the wrong computer security defenses or worrying about the wrong metrics.

Many defenders are asked to come up with hundreds of controls and metrics that are supposed to accurately define the security risk of their environment. A handful of controls, like those around social engineering and patch management, will quantify the vast majority of computer security risk in most environments. Even then, for those controls, most defenders get it wrong.

For example, defenders often think that they need to do 100 percent patching on all computers, especially concerning the Windows operating system, to be secure. The truth is that patching a few internet browser add-ins on workstations and patching web and database programs on servers provides more risk protection than patching the OS or any of the other of hundreds of programs you must worry about. There are outlier attacks, but they are just that…outliers, and they don’t define most of the risk.

To continue reading this article register now

NEW! Download the Winter 2018 issue of Security Smart