Learning From Early Attempts to Measure Information Security Performance
The rapid evolution of threat ecosystems and the shifting focus of adversarial actions complicate efforts to assure security of an organization's computer networks. Efforts to build a rigorous science of security, one consisting of sound and reproducible empirical evaluations, start with measures of these threats, their impacts, and the factors that influence both attackers and victims. In this paper, the authors present a careful examination of the issue of account compromise at two large academic institutions. In particular, they evaluate different hypotheses that capture common perceptions about factors influencing victims (e.g., demographics, location and behavior) and about the effectiveness of mitigation efforts (e.g., policy and education).