HOME - NEWS EVENTS - MAILING LISTS - OPST/OPSA TRAINING & EXAMS - ABOUT US - CORE TEAM - MEDIA KIT - CONTACT - OPEN LICENSES 




 


 
  TEAM ACCESS
     Beta Releases
     Gold Team Updates

  PROJECTS & RESEARCH
     Business Integrity Testing
     Compromise Detection
     Jack of All Trades
     Hacker Highschool
     Hacker's Profiling Project
     Protocol Database
     Security Incident Policy Enforcement
     Security Metrics
     Security Maturity Model
     Secure Programming
     Security Testing Methodology
     Software Quality Testing
     Security Tools
     Trusted Computing
     XML
     Graduate Projects

  ACCREDITED TRAINING
     ISESTORM Event 
     OPSA - Security Analyst 
     OPST - Security Tester 
     OPSE - OSSTMM Expert 
     OWSE - OSSTMM Wireless Expert 
     Hacker Highschool Teacher
     Training Material Accreditation 
     Trainer & Training Certification
     Training & Exam Schedule

  ASSOCIATIONS 

     ISECOM Associates
     ISECOM Affiliates
     ISECOM Partners
     ISECOM Auditors
     Sponsors

  SERVICES 

     Security Test Review
     Gold/Silver Subscriptions 
ISECOM - Institute for Security and Open Methodologies

www.isecom.org - SECURITY METRICS

SECURITY METRICS - RAVs (Risk Assessment Values)

Security metrics are the cornerstone of change control and information security management. Factual security numbers, measures based on security and loss control effectiveness as opposed to the number of implemented security and loss controls.

The OSSTMM refers to security metrics as RAVs or Risk Assessment Values. While not formulating risk assessments, the RAVs are the building block of any risk assessment. It is the facts for which you make your relative assumptions on. It is like the difference between knowing you need a large desk and knowing that you need one which 2.2m x 3m.

There is no fancy algorithm and there are absolutely no extraneous weights on the data. There are also no assumptions and no complex comparisons. It's a pure metric. The RAVs are designed to be simple, quickly calculated, accurate, and realistic. Furthermore, the RAVs are designed to be equally accurate whether calculating the security and loss controls measures for a military base, an office building, a bridge, a Mars rover, a computer network, or a single, interactive application on a computer.

RAVs are part of the OSSTMM and are protected under the Open Methodology License. Use of the RAVs is open to all both privately and commercially.
 

TOOLS & SOFTWARE

  PRICE

DESCRIPTION

RAV Spreadsheet
(.xls or .ods)

 FREE

The standard calculation functions for Operational Security and Actual Security in a simple spreadsheet. Suggested for experts only.

RAV Formula

 FREE

The standard calculation formula for Operational Security and Actual Security. Suggested for developers only.

 Security Testing Audit Report (STAR)

 FREE

The primary purpose of this Audit Report is to provide a standard reporting scheme based on a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. The secondary purpose is to provide guidelines which when followed will allow the auditor to provide a certified OSSTMM audit.


The best use of RAVs is for measuring security in a consistent and repeatable manner regardless of the company who provides testing. RAVs also allow for a percentage which is comparable through industry, organization size, region, policy, and financials. RAVs provide a benchmark that allows for third parties such as insurance companies, government auditors, industry regulators, and military personnel to correctly classify an organizational group from a single unit up to a national defense with one standard measurement.
 
 

 

Formerly the Ideahamster Organization - www.isecom.org - www.osstmm.orgwww.hackerhighschool.org - www.isestorm.org
 If you have any comments, questions, or to note broken links on this website send e-mail to the Webmaster. 
 All contents copyright © 2000 - 2006 - ISECOM - Institute for Security and Open Methodologies. All rights reserved.