Security Curve Weblog: Why Traffic Lights are Dumb

November 11, 2005

Why Traffic Lights are Dumb

We've all seen the DHS security traffic light. You know the one: where green means "move along citizen" and red means "if you can read this you're probably already crispy." Don't worry, I'm not going to rant about the DHS terror alert light - I actually happen to think it's a good idea. I do wish they would "normalize" the data so that we could move out of yellow every once in a while, but all-in-all, I've got no beef with the DHS on this one. However, I do have a beef with all the "wanna-be" traffic lights.

Like a mother hen, the DHS "threat advisory" has spawned a clutch of little infosecurity "threat advisories." We have at least ten in infosec:

There's the Symantec "Threat-Con" which tells us about "network incident activity" and "overall malware activity".

Next, there's the "Virusometer" from Panda that tells us about what Panda's software is out there finding "in the wild".

If that's not good enough for you, there's the CA "SECCON" that tells you about the state of "malware and vulnerabilities".

Of course, there's the venerable "InfoCon" that tells you about attackers, worms, and the like:

There's the VirusList.com "Virus Epidemic Threat Level" telling us about, again, malware.

And last but not least are the NY State Office of Cyber Security "Threat Indicator" (currently at low) and the New Hampshire Department of Safety "Alert Indicator" (also at low).

Whew... What a list! In case you haven't noticed by now, these "indicators" are all reporting more or less the same metrics (mostly AV output), but they have different methodologies for normalizing the data into a high level metric. While one meter might have 3 levels (like "high, medium, low") somebody else might have four or five (like "unprecedented, eggregious, ridiculously high, severe, and pretty high.") Not only is the normalization different and the methodology different, but the indicators rarely say the same thing.

So how useful is that? If you said "useful like a glass hammer" I'm right with you. Since I can't possibly contribute any more confusion than there already is, we see no problem with our adding another voice to the cacaphony. As such, Security Curve proudly announces our new dashboard: the "Horrific Catastrophe Yousa-People-Gonna-Die TerrorMonger Alert Con." We will post the details in a subsequent post (Diana has some great pictures queued up for it) along with a URL that you can include on your webpage to keep up to date on the fear-mongering.

Posted by Ed at November 11, 2005 10:32 AM