Security Control Effectiveness


   I've been doing some research on control effectiveness.  I am aware of many standards such as PCI, FISMA, ISO 27000, etc.  I am also aware of the SANS Top 20 controls, the AUstralia top 35 strategies to mitigate threats, but what I am having trouble digging up is rough data on how effective each control is.  I would love to see some numbers.  I know each control can have a percentage attached to it (maybe Antivirus is only installed on 80 of windows servers for example), but I'd love to see numbers I can take to the CFO or CEO to better calculate the effectiveness.  For IT security controls, one could leapfrog off of NSS labs, but what about other control processes?  I know CMMi and could help devise a system to see the maturity of a particular control, but without doing metrics is there anything solid I can point to?  Some kind of actuarial-type table?

   I can see collecting metrics before and after to help better facilitate better numbers.  What are your thoughts?  Does anyone have such data?  I know the numbers are so variable depending on all kinds of factors such as, insider verses outsider attacks, background checks, network segmentation, security awareness training, etc. etc. etc.  Some controls work in concert with one another so I'll appreciate any links.  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I strongly believe that you cannot measure that. IT security is a mix of many measures one takes and some even interact or depend on each other.

I'd rather draw scenarios that are likely to happen and see (in numbers) how grave their effects are (monetary loss due to additional working hours for example) and see what countermeasures you are already using and where you need to expand.
awakeningsAuthor Commented:

    Thank you.  There must be some very rough numbers (or some measure of effectiveness like Low, Medium, or High).  A firewall will reduce many attacks.  I wouldn't be surprised if it eliminated 20% of the problems.  Antivirus might eliminate another 10%, etc.  How did Ponemon rank AV as low?  How about the Australian Government ranking it as 30 out of 35?  There must be some kind of assessment methodology going on.  How does SANS rank the importance?  Insurance companies have all kinds of tables that inform them of risk.  There should be something similar for security.  Everyone knows it isn't going to be perfect, but even rough estimations would be helpful.  Thoughts?
Good numbers come from lab conditions. It's a complex matter, not a lab. Insurance companies use statistics - you don't have these since the majority of security incidents is not even discovered or reported. It's all estimates and depending on what party you ask, these will be different.

If you would like to see numbers about your business that help you rise your security level, you should rather hire pentesters. They would assess the overall level and tell you for example "we found 50 problems in total, of which we rank 6 severe (=easy to exploit with grave consequences), 25 medium (quite easy to exploit with medium or minor consequences) and 19 low risk (harder to exploit with only minor damage  to be expected)". That would boost you.

Showing your CEO numbers like "look, having disk encryption is lowering overall security risks by 15%" will just never happen.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awakeningsAuthor Commented:

    I understand the process.  I was just hoping someone would have done some rough guidelines and that I was unaware of those guidelines.  I'll give you points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.