FW: [ISN] How to measure security? NIST maps out the emerging field of IT metrology

[Howell, Paul]

-----Original Message-----
From: isn-bounces@infosecnews.org [mailto:isn-bounces@infosecnews.org] On Behalf Of InfoSec News
Sent: Friday, September 11, 2009 4:23 AM
To: isn@infosecnews.org
Subject: [ISN] How to measure security? NIST maps out the emerging field of IT metrology 

http://gcn.com/articles/2009/09/14/update-1-security-metrics-lacking-for-it-systems.aspx

By William Jackson
GCN.com
Sept. 10, 2009

Information technology security is a hot topic, but attention usually focuses on the lack of it. What is missing is an objective, quantifiable way to effectively measure it.

"Security can be looked at in different ways by different people,” "aid Wayne Jansen, a computer scientist at the National Institute of Standards and Technology's IT boratory. There is quality control for code developers, the process of deploying a system, and its maintenance by users. "ese are all different aspects,” " they do not lend themselves to traditional methods of measurement used in physical science, he said.

Jansen has examined the status of efforts to develop security metrics, identified challenges and suggested a course for future research in a recent NIST report, "Directions in Security Metrics Research."

There have been a number of efforts to establish metric systems for security, including the international Common Criteria, the Defense Department's usted Computer System Evaluation Criteria, the European Communities' formation Technology Security Evaluation Criteria, and the International Systems Security Engineering Association's systems Security Engineering Capability Maturity Model.

[...]

N�����r��y��w���,zwfj)m�f���h����+^v�"���ܜ�{"�ا����(��.�˛���m�޶ǜ�+a��m�ꮢ׬�梷�zZlzwZ��,j��f���h����+^v�"�a{
+v���-���w