Cybersecurity Technology Efficacy

tmekelburg1 — Thu, 11 Feb 2021 15:04:41 GMT

I was listening to the Cyber Risk Management Podcast and the topic of discussion was cybersecurity product efficacy. Check it out on your next lunch break. They referenced a report released by Debate Security called Cybersecurity Technology Efficacy: Is cybersecurity the new "market for lemons"?

The report has a little of something for everyone but my key takeaway was a standard way to define efficacy for products. One of the ways discussed in the podcast was, as a vendor, to have your products evaluated by a third party like MITRE's ATT&CK Evaluations. Further thoughts on the matter? Agree or disagree with anything in the report?

Efficacy - defined by four characteristics:

Capability - When properly installed and configured, how well does the solution deliver its stated security mission? Is it fit for purpose?

Practicality - How easy is it for organizations to implement, integrate, operate and maintain? Is it fit for use?

Quality - How well designed and built is the solution to avoid vulnerabilities and negative impact?

Provenance - How much security risk is there in the vendor and it’s supply chain, based on how they work and who they are?

Re: Cybersecurity Technology Efficacy

rslade — Thu, 11 Feb 2021 17:11:37 GMT

> tmekelburg1 (Contributor II) posted a new topic in Industry News on 02-11-2021

> I was listening to the Cyber Risk Management Podcast and the topic of discussion
> was cybersecurity product efficacy.

Which basically turns on our old friends, functional versus assurance requirements.
(I think the earliest formal treatment of those was in the Common Criteria.)

> Is cybersecurity the new "market for lemons"?

Of course, in general that's just a restatement of our old friend "security snake
oil." We've always been a huge market for, if not outright hucksters, at least
those who keep creating new "marketing" terms for stuff that has long been used.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

topic Re: Cybersecurity Technology Efficacy in Industry News

Cybersecurity Technology Efficacy

Re: Cybersecurity Technology Efficacy