When it comes to cyber defense, most organizations are dealing with two conflicting problems: Too much information and too little intelligence. How can it be fixed? Effective cyber security metrics, says NJVC Cyber Security Principal Robert J. Michalsky, who released a white paper on generating usable cyber security metrics for IT enterprises. To understand how cyber security metrics can help safeguard any enterprise, NJVCommentary sat down with Michalsky to discuss the findings of his paper. 


Q: Why should an organization be concerned with security metrics?

A: Because in order to improve and protect organizational assets in the future, we need to understand what happened in the past. Many cyber security products produce copious amounts of data simply because they can. If access is provided to network traffic, measures such as the quantity of IP addresses utilized and the amount of packets transmitted can be easily collected and reported. The challenge for the cyber analyst is to select measures that can lead to decisions – that provide a measure of insight which can enhance security control protections – and make the organization infrastructure safer.


Q: Large organizations can have thousands of end devices and hundreds of thousands or millions of users – how can quantities that vast be monitored?

A: Automation is increasingly being used to sift through extensive data sets and report out on metrics that are of interest. This still requires human decisions to set the parameters that will trigger those alerts. Many cyber vendor products are monitoring network traffic in virtual real time and based on customization and the selection of key security measures, providing cyber analysts with realistic warnings that truly provide organizational insight.


Q: Can security metrics be used for predictive analytics?

A: The ‘holy grail’ for many cyber security practitioners is to construct mathematical models that can predict the future based on the past. Unfortunately that type of objective falls into unrealistic expectations. What can be done with security metrics however is to discern patterns and to allow for business rules to be enacted that can serve to better protect an organization. Analyzing metrics over time can reveal nuances based on minor slopes in lines that may indicate a situation to be further investigated. One example is discovering the ‘low and slow’ method of data exfiltration where volumetrics may not indicate an issue unless trend line analysis is used.


Q: I need to justify increased IT expenditures on security.  Can security metrics provide Return on Investment (ROI) measures?

A: The fallacy here is thinking spending on cyber security protection measures can generate a business ROI measure. A better perspective is to relate cyber security spending to insurance spending – both serve to mitigate or outsource risk – but neither provides a ‘return’ in any classical business spending sense. An organization identifies, quantifies and prioritizes various forms of risk and then looks for cost effective methods to reduce those risks. Security metrics provide insights into how well cyber security risks have been lowered based on a specific budget expenditure.


Q: There are so many potentially valuable security metrics – how can an organization determine what is best to use?

A: Borrowing an approach often used in software engineering – Use Cases – allows an organization to take a comprehensive approach and bring in business value perspectives that serve to augment traditional IT only security protection measures. The best metrics are those that have true meaning for an organization and provide compelling data leading to decisions.

About the Author

Robert J. Michalsky has served government and commercial customers for more than 30 years. As NJVC Principal, Cyber Security, he quantifies and pursues new business opportunities in cyber security. Mr. Michalsky spent more than 15 years providing cyber security-related IT engineering services for classified Intelligence Community and Department of Defense customers. Read More | Contact Us