Empirical Studies
August 25, 2004
This section includes links to studies and research measuring current security practices. The topics may (or may not) be related to security economics. Fair game includes end-user policies and practice, password effectiveness, patch management, and other subjects that lend themselves to controlled studies.
End-User Security #
The Memorability and Security of Passwords – Some Empirical Results, Yan J, Blackwell A, Anderson R, & Grant A, June 2004.
Ross Anderson and colleagues from Cambridge University have released an empiricial study of password effectiveness measuring the relative effectiveness of simple, random, and mnemonic passwords. The principal headline: “passwords based on mnemonic phrases are just as hard to crack as random passwords yet just as easy to remember as naive user selections.” Highly recommended.
Network Security #
AusCERT Presentation on MS Security Bulletins, Cooper R, May 2004
Russ Cooper gave a presentation at AusCert 2004 stating that patching does not reduce insecurity unless it can be done 100% effectively (which is impossible). His analysis was widely reported in the press. The link above is Russ’ summary, rather than the presentation itself. (Ed. - if you discover link to it, edit this entry)
The Laws of Vulnerabilities, Eschelbeck G, March 2004
In this presentation given by the CTO of Qualys, the author highlights some findings based on network sensor vulnerability data aggregated across customers. The headlines: new vulnerabilities tend to have a half-life of 30 days, and 80% of vulnerabilty exploits (attack scripts) are available within 60 days of disclosure of the vulnerability. Insightful, although we wish the raw data were available for review.
Applications #
The Security of Applications: Not All Are Created Equal, Andrew Jaquith, @stake, Inc., 2002.
Companies increasingly require ways of prioritizing security initiatives. We have found that the best-designed e-business applications have one-quarter as many security defects as the worst. By making the right investments in application security, companies can out-perform their peers and reduce risk by eighty percent.