When I used to run vulnerability management for a previous employer, my colleagues and internal clients would stop me in the corridors and ask, “Hey Mukul, how vulnerable are we today?” Of course, this question was largely unanswerable or, at best, deserving of a rhetorical answer. Yet not wanting to appear clueless about my area of responsibility, over time I found myself responding as to whether we were better or worse off than the last week or the last month. This response would normally satisfy most, but a few curious folks would ask how I knew that. I did not know how I knew, but doing the job day in and day out gave me a gut feeling...or so I thought.
My colleagues and I challenged ourselves to think analytically about what gave us the intuition on whether we were more or less vulnerable than, say, yesterday or last month. Just a little bit of thought made it clear that what we thought of as expert judgment was anything but. We were basing our conclusion on what we knew of the latest metrics on security updates and patches that had been released recently, but had not yet been applied in our environment. Not only that, we were also considering the trajectory of our vulnerability metrics, i.e., the direction in which the trend line was headed and how fast. This realization was the genesis of my recent Journal article, where the proposal is to consider the velocity and distance from a good state and the persistence of badness over time. This contrasts with considering the absolute measure of a metric, which, while important, is often inconsistent with the way humans interpret information over time.
In many human endeavors, and information security is no exception, it is the trajectory that is more important than the absolute positioning of whatever is being measured. The first derivative, or the slope and its sign, carry more significance than the underlying data. That phenomenon explains how the rate of change makes one automobile provide more adrenalin than another, not the eventual steady state. It also explains how the victory of the underdog in a sports contest is more thrilling than a confirmation of the favorite.
My recent Journal article provides a more serious take on this topic, proposing a method to convert the rate of change to a bounded measure to support security decisions.
Read Mukul Pareek’s recent ISACA Journal article:
“Standardized Scoring for Security and Risk Metrics,” ISACA Journal, volume 2, 2017.