Why Context Matters in Security Metrics
I’m Jeffrey Wheatman, Cyber Risk Evangelist at Black Kite. This is a blog about security and risk management metrics. It’s going to take me a little while to get there, but please bear with me.
Researchers at the University of Hong Kong sifted through hundreds of studies and have estimated that there are a lot of ants on the planet. In fact, approximately 20 quadrillion (20,000,000,000,000,000) of them.
I don’t know about you, but that number is so large, I can’t begin to fathom it. But it’s a really important number (you should read the rest of the blog if you want to know why).
But we can provide context and present this number in a way that makes it more meaningful. We can say there are 20,000 trillion ants. A trillion is a number that most people can understand and we now know there are a lot of trillions.
We can say that if we weighed all the ants, they would weigh more than all the mammals and birds on the planet. This approach provides context by making a comparison to something that is closer to the audience’s ‘worldview.’
We can say there are 2.5 million ants per person. This perspective is also a scaling approach that connects to a number that resonates and connects to the audience and fits in their frame of reference.
Back to Security and Risk Metrics
I’ve been advising CISOs and other security professionals for a long time. While there are a myriad of issues with the current approach to creating and presenting metrics to the non-IT audience, one of the biggest pitfalls is the lack of context.
Let’s walk through an example –
“We have 875,990 vulnerabilities”
This seems like a really big number, but we don’t know for sure, do we? Let’s analyze together by presenting a few scenarios and asking some questions.
- If we have five servers, this is pretty terrible. But if we have 2,500 servers, it’s not as bad.
- If 90% of those vulnerabilities are critical, well, that’s different than if 10% are.
- Where are those open vulnerabilities? Are they present on the most vital system we run? (The ones, if taken down, put us out of business or in the crosshairs of regulators?)
- Or are they on a brochureware site that doesn’t connect to anything or store any data?
Context is important and too often we don’t provide it. Then we are shocked when our executives don’t make the decisions we think they should about how to respond.
In a future blog, I’m going to talk about why the lack of context in third party risk management is probably the biggest problem faced by our security and risk leaders today…until then, stay tuned.
Stay safe, stay healthy and stay secure.