Measures generate data and metrics organize data to generate information.  The difference between ‘data’ and ‘information’, the former is something you know, the latter is something you use.

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

The key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for September, 2009:

Measures generate data and metrics organize data to generate information. 

The difference between ‘data’ and ‘information’, the former is something you know,

the latter is something you use.

In security, it is easy to confuse the terms ‘measures’ and ‘metrics’.  They are two distinct but related concepts.  Measurement theory incorporates the scale of nominal, ordinal, interval, ratio, and absolute.  These scales are used to measure something, with the output being data.  Metrics however are about analysis and intelligent decision making.  Metrics translate data into meaningful information which will support decision making.  Data is something you know.  Information is something you use to make decisions.

Fortune Cookie Security Advice - No Royal Road to Security - July 2008

Fortune Cookie Security Advice - Strategic Compettive Secure - June 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2009

I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security.  Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"?  How do you "mandate flexible"?

I was stopped in my tracks.  This got me thinking.  After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:

I believe, to a certain extent, we can mandate flexibility and optimization.  Surely we can act in ways which deny both.  So why can’t we act in a manner which intrinsically promotes them?

I think back to lessons of WWII and the Maginot line.  The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics.  They invested heavily into this control, which became the backbone of their country's eastern defense.  It was an appalling failure.  Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed.  Flexibility through mobility was far more effective than an elaborate static defense.

I would argue that flexibility can be mandated through proper planning and design.  We have examples in the history of information security.  In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week.  Updates were a rarity if at all.  That rigid design quickly lost effectiveness, with the rise in velocity of new malware.  AV vendors were forced to adapt.  The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.

Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization.  Create security to be flexible and you enable the service to keep up with the continual changes.

In general, design a system to be flexible and its longevity for effectiveness is extended.  Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.

We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.

Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.

More on “Optimal security”:

Strategy for Sustaining Optimal Security

Information Security Defense In Depth Whitepaper is Now Available

Fortune Cookie Security Advice - June 2008

Defense In Depth Strategy Optimizes Security

The Four Dirty Questions of Measuring Information Security

What are your thoughts?  Rigid or Fluid?  Have you implemented optimal and flexible?