cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Contributor II

Cybersecurity Technology Efficacy

I was listening to the Cyber Risk Management Podcast and the topic of discussion was cybersecurity product efficacy. Check it out on your next lunch break. They referenced a report released by Debate Security called Cybersecurity Technology Efficacy: Is cybersecurity the new "market for lemons"?

 

The report has a little of something for everyone but my key takeaway was a standard way to define efficacy for products. One of the ways discussed in the podcast was, as a vendor, to have your products evaluated by a third party like MITRE's ATT&CK Evaluations. Further thoughts on the matter? Agree or disagree with anything in the report?

 

Efficacy - defined by four characteristics: 

 

Capability - When properly installed and configured, how well does the solution deliver its stated security mission? Is it fit for purpose?

 

Practicality - How easy is it for organizations to implement, integrate, operate and maintain? Is it fit for use?

 

Quality - How well designed and built is the solution to avoid vulnerabilities and negative impact?

 

Provenance - How much security risk is there in the vendor and it’s supply chain, based on how they work and who they are?

1 Reply
rslade
Influencer I

Re: Cybersecurity Technology Efficacy

> tmekelburg1 (Contributor II) posted a new topic in Industry News on 02-11-2021

> I was listening to the Cyber Risk Management Podcast and the topic of discussion
> was cybersecurity product efficacy.

Which basically turns on our old friends, functional versus assurance requirements.
(I think the earliest formal treatment of those was in the Common Criteria.)

> Is cybersecurity the new "market for lemons"?

Of course, in general that's just a restatement of our old friend "security snake
oil." We've always been a huge market for, if not outright hucksters, at least
those who keep creating new "marketing" terms for stuff that has long been used.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468