An interesting question went out to one of my favorite mailings lists a few days ago (SecurityMetrics.org) regarding a definition for “effectiveness”. It’s one of those words that we in the security profession use constantly but there seem to be differing opinions on what qualities a control (or group of controls) must have in order to be ‘effective’. For instance, does it need to be foolproof? Prevent at least 90% of attacks? Provide more value than it costs? Satisfy its purchasers? Make auditors happy? Something else?

After thinking over it a bit, I offered up the following definition to the group:

“If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal.”

I know this isn’t a new question nor do I feel I’ve offered up some novel, ultra-insightful definition. I’d simply like to know what other folks out there think. Agree / Disagree? Have something better?

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)