Resources for Measuring Cybersecurity

Kathryn Waldron at R Street has collected all of the different resources and methodologies for measuring cybersecurity.

Posted on November 1, 2019 at 6:27 AM • 12 Comments


Sancho_PNovember 1, 2019 8:01 AM

Her story at the beginning is on top. It reveals a sad truth:
Good technicians tend to be eloquent and are honest.
Good non technicians are eloquent only.
- The poor chap wasn’t prepared to meet business.
A good CEO will know that.

Fine collection anyway, thanks!

-November 1, 2019 10:43 AM

@ Moderator,

The above comment from "Los Angeles" is shall we say rather morecthan odd.

Also I'm not sure it meets this blogs voting rules.

The last time someone behaved in this way they caused endless problems not just for those picked on but other readers / posters. The net result was a very clear drop in the numbers of people posting, which is still quite visable in effect. As such it damages the usefulness of the blog, which may well be that posters intention as in previous cases.

.November 1, 2019 10:55 AM


I hole-hardedly agree, but allow me to play doubles advocate here for a moment. For all intensive purposes I think you are wrong. In an age where false morals are a diamond dozen, true virtues are a blessing in the skies. We often put our false morality on a petal stool like a bunch of pre-Madonnas, but you all seem to be taking something very valuable for granite. So I ask of you to mustard up all the strength you can because it is a doggy dog world out there.
Although there is some merit to what you are saying it seems like you have a huge ship on your shoulder. In your argument you seem to throw everything in but the kids Nsync, and even though you are having a feel day with this I am here to bring you back into reality. I have a sick sense when it comes to these types of things. It is almost spooky, because I cannot turn a blonde eye to these glaring flaws in your rhetoric. I have zero taller ants when it comes to people spouting out hate in the name of moral righteousness.
You just need to remember what comes around is all around, and when supply and command fails you will be the first to go. Make my words, when you get down to brass stacks it doesn't take rocket appliances to get two birds stoned at once. It's clear who makes the pants in this relationship, and sometimes you just have to swallow your prize and accept the facts. You might have to come to this conclusion through denial and error but I swear on my mother's mating name that when you put the petal to the medal you will pass with flying carpets like it’s a peach of cake.

Clive RobinsonNovember 1, 2019 11:14 AM

@ All,

I've beeb banging on about usable and reliable measurands for years now, and I think we can all see the way the industry has gone with "best practice" that is not and "traffic light displays" that quantify nothing in a usable way.

Honestly I don't expect it to change any time soon ICTsec as mostly practiced is aboutvas far away from engineering, science or even philosophy. It's basically a game of "folloe the leader" dressed up in "Emperor's cloaths".

I don't wish to be considered unkind but in the authors lead in they give a list of criterier starting with "objective" but then gives,

    Capable of being quantified

Sorry either it is fully quantified or it is not a measurand that can be used for "objective" observation that forms the basis of the scientific method, that in turn forms the basis of engineering, which in turn is the basis of all reliable functional tools.

Perhaps people should take a long hard look at metrology[1] and understand what usefull measurands are all about, their strengths, their weaknesses and how you get the proper results so you can objectively observe and analyze. This then forms the foundation on which observations and the resulting conjectures can be verified by others and thus increase a reliable corpus of information.

Though I can understand why many might run scared of this. One of the metrology subfields is "Legal Metrology" it is an area where legislation can be not just formed but be testable by all. Some people do not want that at any price, and others should ask them why?

[1] Metrology is all around us even in most arts. Why the computer industry feels it has no real need of it should make people think that "even snake oil gets measured in pints". You can read more on metrology at,

SpaceLifeFormNovember 2, 2019 3:24 PM

So, after over a day, can we conclude, that with no supporting comments, that "Measuring Cybersecurity" is a Fools Errand?

There is nothing to measure when you know it is a mess.

Sancho_PNovember 2, 2019 6:11 PM

Um, I think the message here shouldn’t be to measure what can’t be evaluated.
The message is: Don’t face the lion without any defense.
These people you have to deal with are not stupid! They don’t want to know what can’t be known, but they smell uncertainty from 100 yards.
These resources can be a good start to produce some figures - and own ideas.

Clive RobinsonNovember 3, 2019 3:31 AM

@ SpaceLifeForm,

There is nothing to measure when you know it is a mess.

A mess is only a mess when you can not figure it out, and that's best done with the right measure. So if you don't have one, you make one, then as with many things you refine it and temper it so it becomes finely honed[1].

Thus the basic evidence based empirical approach that man has taken over the centuries, that the practitioners of from just before but mainly during the Victorian era got the name of "scientists"[2]...

[1] Yes I know our first generally accepted prototype for both weight and volume was not exactly well honed. But being a "hens egg"[3] it was readily available in the first place we did "science experiments" and "wrote up" the results for others to use --even if only by word of mouth--, was what we now call the kitchen.


[3] If ever you are looking to translate very old recipes into modern measures to try them out remember a large hens egg is what you need to work with at ~2oz (56.7g) in the shell or minimum being 54-62g range depending on "local customary measure" standards. In the US one dozen large eggs in a box are supposed to weigh one and a half pounds (680g), even today. The weight of the egg white is ~1oz and that has a volume of ~2 table spoons, the yolk is ~ 1 table spoon in US customary measures. The US tablespoon is ~14.79ml "metricated" in both the US and UK to 15ml and 20ml in Australia. Oh and for that realy big cake or pudding in custard... 1 cubic meter is 67628.045117839 US standard tablespoons.

SpaceLifeFormNovember 3, 2019 1:22 PM


"The message is: Don’t face the lion without any defense.'

True. But the way I read the research, it was mostly about feeding CEOs stuff to consider for CYA positions.

The first 5 categories are either about CYA or Money. Or both.

Category 6 is 'others'.

The Lion is fascism, the defense is to have a legal excuse in court after a company gets hacked and then sued.

"We had all of these processes in place, we followed best practices, we constantly measured our cybersecurity, and even though we got hacked, it was not our fault!"

"We move for dismissal of this case"

So, is the solution to buy CyberInsurance?

Doubtful. The Lion will extort and/or extract money one way or another.

SpaceLifeFormNovember 3, 2019 1:58 PM


"A mess is only a mess when you can not figure it out, and that's best done with the right measure."

Hmmm. Measuring tools.


Hmmm. Mess on floor.

Looking for the right length cable...

Can I measure with a wire cutter and crimper?

Maybe I should not worry about the crimper.

WeatherNovember 3, 2019 5:50 PM

20years and counting, but ha that Swedish person was ten, maybe you don't understand you don't know, was it NSA or you?

tdsNovember 7, 2019 10:12 AM

@., SpaceLifeForm

Regarding .'s message, the first time I saw it I stopped reading after a few lines. Perhaps it was a message designed to give headaches.

After reading "AI phonetic search engine now confused." I tried .'s message again, but still couldn't finish it, although I admired its wordmanship.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.