Security Metrics, Application Security and Cancer Research

I would not have thought that there would be a relationship among security metrics, application security and cancer research until I read an article in the Sunday Magazine section of the June 17, 2018 New York Times by Siddhartha Mukherjee with the lengthy title “A way of thinking about cancer that may expand our ideas of personalized medicine beyond mutant-hunting.”

The first point that I noted in Mukherjee’s article was the following quote by Michael Jaffe, a cancer biologist at MIT:

“As in the old joke about the drunk looking under the lamppost for his wallet, biomedical scientists tend to look under the sequencing lamppost where the ‘light is brightest’—that is, where the most data can be obtained as quickly as possible … when the really clinically useful information may be someplace else.”

So doth it go with security metrics. In my article, “Accounting for Value and Uncertainty in Security Metrics,” in the November 2008 issue of the ISACA Journal, I make a very similar point, namely, that we InfoSec professionals tend to analyze the most readily-available, cheapest-to-obtain data, when the most useful data are often difficult and expensive to collect.

Later in Mukherjee’s article he makes the point that “the cell must live in a particular context within its host.” He then asks the question “What if the ‘really useful clinical data’ lies within these domains …?” I made a similar point in a presentation with the title “Meaningful Metrics for Application Security” to the New York/New Jersey OWASP Local Chapter in May 2008.

Okay. So, what’s my point? My point is that we can learn from other disciplines, such as biomedical research, or confirm some of our ideas when we see that these other efforts, which are much more extensive and heavily-funded than cybersecurity research, have come to much the same conclusions. It is a validation (or vindication) in some sense.

The bottom line is that we should be monitoring other fields to see if their approaches and methods can be generalized and applied to our own field.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: