Organisations should aim to improve the standard of corporate security reporting. This is according to Tony Stephanou, chief security officer at T-Systems SA, speaking during the ITWeb Security Summit at the Sandton Convention Centre.
Presenting on security metrics at the summit, themed 'Growing threats in a connected world,' Stephanou said organisations should always be sceptical of the security reports they come across.
“You must always ask yourselves: “Is this the most appropriate statistic to measure?” he said. He also urged organisations to make use of statistical methods where possible, to improve the credibility of security reports.
“When looking at surveys, also consider the sampling methods used to come up with the statistics; for example look for a description of the methodology and ask for the response rate, not just the number of responses,” Stephanou added.
“You must also check the scale of charts, ask for intelligent commentary and for a summary of the data”.
“Ask for the mean, median, denominator and standard deviation - average distance from the mean,” he noted.
According to Stephanou, there may be a bias when people make security decisions because of heuristics - small mental shortcuts that help us make decisions - which may result in over or under-estimation of threats.
“Therefore, we need good security metrics to help us make better security decisions.”
He said data visualisation techniques allow the communication of large amounts of data in a picture, adding that this makes the information easier to understand.
“Businesses must also make use of threat modelling techniques in order to justify the focus on certain risks that may cause harm to the organisation and avoid concentrating effort on trivial risks” he stressed.
Stephanou suggested that a corporate threat-modelling tool is one way businesses can focus on the 'real' risks. “You can then look at the threats based on the permutations that the modeller gives you and moderate the weightings based on the certainty of findings.”
He also believes that security professionals should up their game when it comes to security reporting and security metrics, if they are to be taken seriously by the business. “There is still a lot of room for improvement.”
Related story:
Spam reduction reports questionable
Share