Security Metrics

Submitted by Tristan on Fri, 05/08/2009 - 00:39

Metrics are used to measure things. The problem they attempt to address is that of aligning organizational behavior with business goals. Good metrics provide visibility into performance, allowing for better informed decision-making, and can be used for forecasting and planning for future readiness and preparedness.

A key challenge in using metrics is determing appropriate metrics. One must determine what is important to a business, and then how to quantify it. In many cases, it is not easy or even possible to measure what is important, especially when 'soft' concepts like "market reputation" or "information security" are involved.

Metric framework

A generic framework for establishing metrics will start by identifying and assessing business goals, assess business activities in support of these goals, and then identify measurable components of business activities.

Types of metrics

Predictive metrics - used to predict future performance or outcomes.

Situational metrics - used to provide visibility of the current situation.

Security metrics 

Security, being a non-tangible concept, is difficult to measure. Different organizations have different views regarding what constitutes an appropriate metric. A selection of views are summarised below.

Standard metrics

  • Return on Investment (ROI) indicates the change in finances that has resulted from an investment. If the investment made (or saved) more money than it cost to acquire and implement, then the investment will have a positive ROI. Determining how much something cost to acquire is relatively easy - the difficulty in ROI-analysis is quantifying the return.
  • Return on Security Investment (ROSI)  is based around comparing the cost of a security solution against the impact of a risk occurring (Risk Exposure X Percentage of Risk Mitigation). 

Jaquith's view on ROI

In "Security metrics" Andrew Jaquith argues that Return on investment (ROI) is not an appriopriate metric for security effectiveness."Analytical rigor receives little attention, while nebulous, nonquantitative mantras rule: “defense in
depth,” “security is a process,” and “there is no security by obscurity,” to name a few."

He recommends that risks be quantified in terms of the value of the assets they apply to. One metric he proposes is "level of effort to subvert", in contrast to a metric along the lines of "number of possible vulnerabilities".

 

 

 

 

Most Popular

Using Office Outlook 2010 with Lotus Notes backend connector (DAMO) on Windows 7.
25 weeks 3 days ago
Introduction to Claims-based Authentication in SharePoint 2010 in plain English
40 weeks 2 days ago
Firewall rules and protocol usage
1 year 8 weeks ago
Access Control with SharePoint Groups
1 year 10 weeks ago
Using the People Picker Editor picker control
1 year 5 weeks ago
Section 508 Compliance with SharePoint
1 year 1 week ago
Authentication options
1 year 3 weeks ago
SharePoint Templates
48 weeks 5 days ago