Security metrics tend to show an inability to assess securit

Security metrics tend to show an inability to assess security measures, do you feel there is an inability to assess security measures? What can be done to improve this inability? Please justify your answer.

Solution

The term metrics are by drawing a distinction between metrics and measurements where metrics are generated from analysis and measurements are generated by counting. Metrics helps the IT departments to monitor current security program and provide insights regarding Information security program effectiveness, helps to identify the level of risks, level of regulatory compliance.

The standard term to define security metrics are security level, security indicators and security performance. The information which derived from these metrics helps in measurement of security. Security tend to show an inability to assess security measuress as contemporary security metrics fails to tell about the degree of safety and how to avoid danger.

To improve the security measurement program, two methods should be adopted:

1. Quantify the secure development lifecycle - In order to be improve security measures the following steps should be included:

2. Source Code Analysis - From source code analysis the best metrics are derived. For good source analysis, the three main elements are accuracy, precision and robustness.

A source code analyzers should accurately identify vulnerabilities, must be precise and able to deal with large, complex bodies of code.