Answering the Unanswerable Question: How Secure Are We?
Business environments consist of invisible or ill-defined risk factors which create challenges with prioritization for business owners, systems owners, and IT/Security teams in their goal to improve their security position. The security of the environment relies upon the appropriate people understanding and addressing the risks. However, they typically do not have the relevant understanding, and therefore, the capability to act, due to the complexities of the defense-in-depth strategies. Security professionals have a good understanding of the relationships between the various controls and have numerous tools to consolidate logs and network traffic. However, while many of these tools are "best-of-breed" and operate within their information silos, they lack native methods to populate external systems to aggregate the findings in a risk-based approach which business stakeholders require to make decisions. By designing a framework to collect and measure different aspects of security, this research explores how to remove the operational fog that obscures our vision of our environments. With layers of fog removed, the improved clarity allows us to make quantitative assessments of our security by examining how security controls relate to one another.
39620 (PDF, 2.47MB)
3 Jun 2020Related Content
Reducing Excessive Trust in the Web PKI Ecosystem
Research PaperThis research examines the possibility of developing an add-on for the open-source mitmproxy project to add drift detection for root Certification Authority (CA) certificates, incorporate policy-based controls over which CAs are allowed, and leverage an ensemble of existing technologies—some in novel ways—to reduce the level of trust placed in the public Web PKI.
- 12 Mar 2026
Inside the Five Most Dangerous New Attack Techniques
Research PaperThis e-book represents the next evolution of that effort. Here, we take the five key topics presented from the keynote stage and expand them into four full-length chapters.
- 8 Dec 2025
- Heather Barnhart, Rob T. Lee, Joshua Wright, Tim Conway
Structural Vulnerability: Autodesk Revit Server WAN Exposure Versus Cost of Autodesk Construction Cloud
Research PaperAutodesk Revit Server, a critical collaboration tool in the architecture, engineering, and construction (AEC) industry, was designed to operate within trusted networks.
- 7 Nov 2025
Privacy Protections: Are Stronger Laws Changing What We Reveal?
Research PaperAs U.S. states enact privacy laws aimed at giving consumers more control over their personal data, little is known about whether privacy legislation influences individuals’ willingness to disclose their identity on public platforms.
- 26 Sep 2025
Revolutionizing ISO 27001 Audit Evidence Collection: Steampipe as the Ultimate Tool
Research PaperIn the current landscape of increasing regulations, cyber breaches, and business risks, information...
- 5 Dec 2024
Assessing Operational Technology: Using the ONG-C2M2 Model and CIS Controls to Assess Operational Technology (OT) Environments
Research PaperMost small to medium-sized organizations rely heavily on CIS Controls (Center for Internet Security,...
- 20 Dec 2023
Who Needs a Pentest: Validating the Configuration of an EDR Solution Using the MITRE ATT&CK Framework
Research PaperIs that EDR suite fully configured, and providing the expected protection? Do we have a scalable way...
- 7 Nov 2023
"Think Different" About Compliance: Is Effective, Automated macOS Configuration Achievable with NIST's macOS Security Compliance Project?
Research PaperInformation security compliance within the Apple macOS ecosystem is an especially challenging...
- 21 Dec 2022
Risk Prioritization: An Examination of Published Exploitability Ratings
Research PaperBusinesses struggle to prioritize the remediation of vulnerabilities in their environment. One...
- 27 Jan 2022
Ransomware Impact Assessments: Guidance is Common, Your Organization is Not!
Research PaperDefeating ransomware's threat has become a cyber-Sisyphean task because the cybersecurity community...
- 3 Nov 2021
Security Network Auditing: Can Zero-Trust Be Achieved?
Research PaperSince 2010, government and business organizations have begun to adopt the Zero-Trust framework....
- 23 Sep 2020
Risk Management with Automated Feature Analysis of Software Components
Research PaperOrganizations developing software need pragmatic risk management practices to prevent malicious code...
- 27 Aug 2020
Building an Audit Engine to Detect, Record, and Validate Internal Employees' Need for Accessing Customer Data
Research PaperWhen using Software-as-a-Service (SaaS) products, customers are asked to store and entrust a large...
- 11 Dec 2019
Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures
Research PaperOrganizations' supply chains are growing increasingly interdependent and complex, the result of...
- 7 Nov 2019
Cyber Protectionism: Global Policies are Adversely Impacting Cybersecurity
Research PaperCyber Protectionist policies are adversely impacting global cybersecurity despite their intent to...
- 21 Aug 2019
Overcoming the Compliance Challenges of Biometrics
Research PaperDue to increased regulations designed to protect sensitive data such as personally identifiable...
- 22 May 2019
Evaluation of Comprehensive Taxonomies for Information Technology Threats
Research PaperCategorization of all information technology threats can improve communication of risk for an...
- 26 Mar 2018
Increase the Value of Static Analysis by Enhancing its Rule Set
Research PaperStatic analysis tool vendors are debating whether to allow their customers a rule-set tailored to...
- 29 Jan 2018
Leverage Risk Focused Teams to Strengthen Resilience against Cyber Risks
Research PaperInformation security, risk management, audit and business continuity teams must continue to evolve...
- 17 Nov 2017
Securing Against the Most Common Vectors of Cyber Attacks
Research PaperAdvanced Persistent Threat (APT) adversaries run highly targeted, multifaceted campaigns to exploit...
- 12 Sep 2017