Wednesday, December 16, 2009

Context-free Abstract Security Scale

crunge: I would like to propose a metric for security - the context-free abstract security scale. Its unit will be the Mitnik. It is a logarithmic scale based on the natural log so something rated at 8 Mitniks is about 2.7183 times as secure as something rated at 7 Mitniks.
radsy: seems fair
adam_vollrath: there are a few metrics out there, government certification of platforms and junk like that
crunge: So when someone asks "How secure is OpenBSD out of the box?" you can answer with confidence, "11.8 Mitniks".
adam_vollrath: sounds dangerously misleading. and funny, i assume you're being funny
crunge: But this is abstract, and context-free so anything can be compared against anything else.
crunge: to be able to compare anything to anything else you need a measure with no inherent meaning. Meaning really screws up graphs.
crunge: It'll revolutionize the industry
tonymec: crunge: this scale would have to evolve, as today's stuff is a lot more secure (hopefully) than what was used X decades ago. However log(1) is 0 in any log base, so "normal" security would have to be kept at 0 mitniks, pushing yesterday's stuff, if it doesn't change, farther and farther into the negative, like identical answers to an IQ test give you a far worse score than they did your parents a generation ago.
crunge: Can you imagine the value to Pen Testers? They can walk in, sum up the Mitniks based on their evaluation and then itemize the gain in Mitniks based on implementing their recommendations
crunge: and IT managers can plot growth in Mitniks as policies are implemented. You'd be able to quantify ROI on buying that new IPS
crunge: tonymec: even better. It would be based on the average which would of course be determined by the Pen Testers. I smell a business model paradigm shift.
adam_vollrath: now you just need to create synergy between stakeholders
crunge: adam_vollrath: oh yeah, and crowdsource it.

No comments:

Post a Comment