Tom from the c-APT-ure blog recently pointed me to the Malware Analysis Quant Research Project spearheaded by Securosis. The goal of the project is to develop a malware analysis model, complete with specific processes and metrics. The published white paper is 53 pages. Every organization has a malware problem and rapid identification and scoping is a big step towards successfully allocating precious security resources towards important events like attacks from determined adversaries as opposed to commodity worms and malware. The open nature of the model allows existing infrastructure within your organization to be readily integrated, shifting the focus towards identification and measurement of any process gaps. Those of you routinely hammered by ROI questions will applaud the focus on actionable metrics aimed at cost quantification.