Cybersecurity Impossible to Measure?

Last week, e-gov chief Karen Evans said that what keeps her up at night is cybersecurity. There may be a good reason to lose sleep, according Richard Ford of the Florida Institute of Technology.

In his article “Open vs. Closed”, which appears in Open Source Security, Ford concludes that cybersecurity cannot be measured. He argues that there are two possible ways to measure the security of a system:

•What are the chances that the confidentiality, integrity and availability of information of a system will be compromised?

•How many vulnerabilities are there in a product?

Ford says there is no way to quantify either measure. “Measuring security will mean different things to different people,” he writes. (Citation comes by way of John Scott, director of open integrations for RadiantBlue Technologies in Reston, Va., and author of the powdermonkey blog.)

More surprisingly, Ford comes to the same conclusion regarding open-source systems (for which the source code is public) and closed-source systems (in which the source code is kept secret). “The cases where one is clearly better than the other are few and far between,” Ford says.

True, open-source applications benefit from Linus’s Law (which states that given a large enough co-developer base, almost every bug will be found quickly and the fix provided by someone), but closed source “makes it expensive for anyone other than the developer to find those bugs.” Some applications benefit from full disclosure of their inner workings, some don’t.

Just another reason to lose sleep. Let us know about your cybersecurity concerns.