Where is the science in security risk measurement today?

Security risk management today is both an art and a science. But, as I mentioned in my last post, "The Current State of Security Risk Management," it needs to be more of a science. In this post, I will examine some of the current efforts to bring a more scientific approach to the field.

Assessments and Audits:
Information Technology Auditing (IT auditing) began as Electronic Data Process (EDP) in the late 1960s. The field has grown and changed considerably with the growth of the Internet, e-commerce, data protection and privacy regulations, such as HIPPA, GLBA and FISMA. While these regulations and compliance requirements have certainly helped improved security effectiveness, particularly for those companies that lagged behind in security investments, we are far from being able to measure how more secure we actually are or the ROI of our security investments.
Audits and assessments on third party business partners are questionnaire-based and the amount of verification varies significantly depending on regulations, policies and budget. Mostly, they are a subjective measure of a company's policies at one point in time and do not reflect actual security effectiveness on a daily, continuing basis. With the tools available on the market today, the risk of sharing sensitive data with business partners is difficult to measure.

Network and Application Scanning and Testing Tools
Network-based vulnerability scanners and Web application scanning tools are fairly effective in finding vulnerabilities and identifying areas of risk. Instead of just knowing an organization’s policy towards patch management, scans show the effectiveness of these policies. However, these tools have their limitations. Networks and applications can only be tested for known vulnerabilities. In addition, if the testing team did not discover any vulnerabilities today, it does not mean that hackers will not find vulnerabilities tomorrow. With the quickly evolving nature of cyber attacks, continuous insight is required to manage risk.

Security information and event management (SIEM)
SIEM products aggregate and correlate data from many sources across the enterprise, including the network, servers, databases, applications and security devices. They provide companies with a vast amount of security intelligence on a continual basis. For companies that have the appropriate staff and procedures to handle and act upon this data, a SIEM can greatly improve security effectiveness by allowing organizations to detect breaches in real time through security event data analysis.

But even though SIEM technology is widely available, a key finding of the McAfee Needle in a Datastack study was “the inability of the majority of organizations to identify security breaches and security risks as they happen.” The report found that companies were under equipped and over confident in their security capabilities, revealing that “only a fraction” of companies they surveyed were using “genuinely SIEM tools.”

In conclusion, although significant progress has occurred in turning security risk management into a science, we still have a long way to go. What are your thoughts on efforts to introduce a more scientific approach to security risk management?