A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Who Watches the Watchers? Metrics for Security Strategy - Michael Roytman Converge 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

Who Watches the Watchers? Metrics for Security Strategy
Michael Roytman

Security Metrics are often about the performance of information security professionals - traditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how successful your metrics program is at operationalizing that which is necessary to prevent a breach? This talk will borrow concepts from epidemiology, repeated game theory, classical and causal probability theory in order to demonstrate some inventive metrics for evaluating vulnerability management strategies. Not all vulnerabilities are at risk of being breached. Not all people are at risk for catching the flu. By analogy, we are trying to be effective at catching the "disease" of vulnerabilities which are susceptible to breaches, and not all are. How do we determine what is truly critical? How do we determine if we are effective at remediating what is truly critical? Because the incidence of disease is unknown, the absolute risk can not be calculated. This talk will introduce some concepts from other fields for dealing with infosec uncertainty.

Michael Roytman is responsible for building out Risk I/O's predictive analytics functionality, and has been selected to speak at some of the top information security events on this topic including RSA, SOURCE, BSides, Metricon, SIRACon and more. He formerly worked in fraud detection in the finance industry, and holds an MS in Operations Research from Georgia Tech, with a focus on the intersection of game theory and security. His home in Chicago contains a small fleet of broken-down drones.

Back to Converge 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast