Source URL: https://www.schneier.com/blog/archives/2025/07/measuring-the-attack-defense-balance.html
Source: Schneier on Security
Title: Measuring the Attack/Defense Balance
Feedly Summary: “Who’s winning on the internet, the attackers or the defenders?”
I’m asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain’s latest Lawfare piece has amassed data.
The essay provides the first framework for metrics about how we are all doing collectively—and not just how an individual network is doing. Healey wrote to me in email:
The work rests on three key insights: (1) defenders need a framework (based in threat, vulnerability, and consequence) to categorize the flood of potentially relevant security metrics; (2) trends are what matter, not specifics; and (3) to start, we should avoid getting bogged down in collecting data and just use what’s already being reported by amazing teams at Verizon, Cyentia, Mandiant, IBM, FBI, and so many others…
AI Summary and Description: Yes
Summary: The text discusses a framework presented by Jason Healey and Tarang Jain for evaluating cybersecurity metrics based on threats, vulnerabilities, and consequences. It emphasizes the need for a collective overview of security performance rather than just individual network assessments. The initial findings reveal improvements in certain areas of cybersecurity while highlighting the ongoing challenges in dealing with consequences.
Detailed Description:
The excerpt delves into a significant piece authored by Jason Healey and Tarang Jain that outlines a new framework for assessing cybersecurity metrics on a collective level rather than on a singular basis. This framework is poised to change how defenders understand their position against attackers in the cybersecurity landscape.
Key Insights:
– **Framework Development**:
– The framework categorizes security metrics based on threat, vulnerability, and consequence, addressing the overwhelming flood of data defenders face.
– **Focus on Trends**:
– The authors argue that understanding trends rather than specific data points is crucial for evolving security strategies.
– **Leveraging Existing Data**:
– They suggest that instead of solely collecting new data, cybersecurity entities should utilize already-reported statistics from reputable organizations like Verizon, Cyentia, Mandiant, IBM, and the FBI.
Conclusion Highlights:
– While the report indicates that defenders are improving in areas such as threat operations, threat ecosystem management, and software vulnerability mitigation, it also points out that there have been no corresponding improvements in the consequences experienced, hinting at the necessity for deeper examination and action.
– The article outlines a three-phase project to further refine this analytical framework:
– **Phase One**: Presenting the initial framework.
– **Phase Two**: Creating a comprehensive catalog of indicators linked to threats, vulnerabilities, and consequences while promoting the reporting of relevant statistics over time.
– **Phase Three**: Driving enhanced analysis and reporting based on gathered data.
Implications for Security Professionals:
– **Holistic View**: The framework underscores the importance of a holistic view of cybersecurity metrics that can foster better-informed strategies for defenders facing constantly evolving threats.
– **Collaborative Efforts**: Engaging with various cybersecurity firms to report pertinent data can lead to more informed decision-making and potentially fortify collective defenses.
– **Next Steps**: Cybersecurity professionals can look forward to the subsequent phases of this project for further guidance on improving metrics and reporting standards within their own organizations, aligning with the ongoing evolution of the cybersecurity landscape.