Measuring Security Effectiveness

Taosecurity Security Effectiveness ModelLast week my compliance vs. security Venn diagram caught a lot of traction on Twitter with a mention by @stevewerby. Nice to get this kind of attention however the best part was @taosecurity chiming in with a related diagram covering a Security Effectiveness Model he posted around the same time. It essentially depicts the overlap between what is defended versus what is attacked as explained in the third paragraph below. On the right is a thumbnail of it but be sure to check out the full image here.

via TaoSecurity

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.

Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label “Defensive Plan”; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as “Threat Actions”; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label “Live Defenses”.

I call the Defensive Plan “Correct” when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat’s interests. I call it “Incorrect” when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.

Continued here.

#####

Today’s post pic is from TaoSecurity.blogspot.com. See ya!

4 comments for “Measuring Security Effectiveness

  1. January 12, 2015 at 1:02 pm

    novainfosec: Measuring Security Effectiveness – see our post for more info http://t.co/uuLaXbD7Th #infosec

  2. January 12, 2015 at 6:01 pm

    Measuring Security Effectiveness – see our post for more info http://t.co/QSJDDZXwBu #infosec

  3. January 12, 2015 at 7:47 pm

    secarch: RT grecs: Measuring Security Effectiveness – see our post for more info http://t.co/yRRY9KiEhD #infosec

  4. January 13, 2015 at 1:02 pm

    Measuring Security Effectiveness – see our post for more info http://t.co/K7DMw6zURn #infosec

Leave a Reply

Your email address will not be published. Required fields are marked *