Measuring Information Security Risk Metricon 1 1 August 2006 Bob Blakley firstname.lastname@example.org
Measurements are not Metrics • Metricsare a system of parameters or ways of quantitative and periodic assessment of a process that is to be measured, along with theprocedures to carry out such measurementand theprocedures for the interpretationof the assessmentin the light of previous or comparable assessments. • - Wikipedia
Measuring Risk estimate probability and consequence Mitigate estimate log(probability) and consequence Mitigate & Recover estimate worst-case consequence Recover high impact estimate probability and consequence Mitigate ignore ignore low impact common uncommon rare
Risk Correlates: Vital Signs It’s hard to make you sick without changing your pulse, temperature, or blood pressure.