I recently attended a talk by the head of ADF Information Warfare Division who indicated that he hates using the word cyber, but it does help get him funding.
I have often heard it said and seen programs designed to improve cyber security. But how do we know when that has been achieved? How to you measure cyber security? Is cyber security in metric securitons? Or is that an imperial measure?
A simple business maxim, if you can’t measure it you can’t manage it. Cyber security is no different.
The following from RAND, Measuring Cyber Security and Cyber Resiliancy is an intersesting framework that approaches the matter not just from the inside of the organisation covering the maturity level of the system security, but also from the defensive side covering the maturity level of the defences. Both important attributes to measure to make up your organisations ‘securitons’
https://www.rand.org/pubs/research_reports/RR2703.html
1's and 0's on the digital world today