ABSTRACT
It is generally agreed that there are few activities that can be managed well without decent metrics. The fact that many information security managers do manage adequately with just technical metrics, some notion of good or best practices coupled with experience, a modicum of intuition, and a bit of luck would seem to suggest that isn’t entirely true. If in addition, trends show that the overall results from security activities are consistent with expectations, impacts are acceptable, and costs are reasonable, this may seem adequate to the majority of organizations. However, this often results in a dangerous underestimation of actual risks. A prime example is the recent poster child for virtually every aspect of deficient security, TJX, with the loss of some 46 million credit records. The sheer magnitude of this breach, coupled with the facts that it wasn’t discovered until some 18 months later and that some 80 gigabytes of protected data had been transferred out on its own networks, can to some significant extent be attributed to poor or nonexistent monitoring and metrics. The ultimate costs of this particular debacle remain to be seen but has as of this writing exceeded 250 million dollars.
