Security firm Qualys has launched a security metrics initiative at RSA Europe 2013 conference in Amsterdam.
The project is aimed at collecting as many useful, positive security metrics as possible to enable data driven security, said Wolfgang Kandek, chief technology officer at Qualys.
The security industry initiative is part of the Trustworthy Internet Movement (TIM) set up and funded by Qualys CEO Philippe Courtot in 2012. TIM aims to tap the power of the global security community to advance industry-wide technology innovations and initiatives for actionable change.
In line with those aims, organisations are invited to contribute easily-understandable security metrics that security practitioners can use to present to the business.
For too long CFOs have had the monopoly on interesting metrics to present that demonstrate the financial progress of the business, said Kandek. Security practitioners need a similar set of proven metrics that non-security people in the business can understand.
More on security metric
Video: The keys to identifying risk management metrics
CSA cloud metrics validate perceptions on cloud computing risk
For example, the US department of state has introduced a formula for calculating the risk score for every computer. In this way, each division and individual can see their own risk scores and how these compare with the rest of the department. “This creates a kind of ‘security market’ of risk scores which the IT security team can use to influence the behaviour of users,” said Kandek.
The biggest threats get the highest scores, thereby making them a top priority for department members keen to keep their score as low as possible. “Within a year of introducing the metric, the department was able to reduce its overall risk score by 90% by incentivising people to address the biggest risks as quickly as possible,” said Kandek. Similarly, the department was able to achieve a patch rate of 90% for one particular Windows XP vulnerability within a week.
Qualys itself has also introduced a metric of a vulnerability’s “half-life” which is the time interval needed for reducing the occurrence of a vulnerability by half. The initial average duration of half-life has been around 30 days and varies by industry sector, with clear distinctions for example between finance and manufacturing, said Kandek.
Another influencing factor is the application class, where applications that offer a structured update mechanism are typically found on the leading edge of the half-life metric. Vulnerability half-life data is based on the over 800 million scans performed yearly by Qualys.
Kandek has committed to posting the monthly half-life benchmark for Microsoft’s Internet explorer on the TIM project page to support the security metric initiative. He said that the more people who contribute metrics they have used to achieve positive change in their organisations, the better. “No one organisation can solve the security challenges we are facing without peer feedback,” he said.