Information Security Governance Metrics

The metrics term is used to denote simply a measurement, it's based on a reference. For example if we want to measure how secure the email system is, then we would basically use metrics like how much information is sent in clear text, what type of file attachment can be accepted or sent by email. Those kind of things.

Metrics involve at least two points. The measure itself and some form of reference. Security is the protection form, or absent of danger, that they are for we have to have particular metrics to measure against that. For example, weak security and strong security have to have some type of measurement and some reference point to be able to declare either weak or strong. Therefore, security metrics should tell us about the degree of safety and the level of safety relative to some reference point.

How we determine what effective metrics are. If we can't measure it, it's difficult to manage it. Standards and ordinary security metrics are going to be effective metrics, like the downtime due to a trojan horse or the downtime due to a denial of service attack. Maybe a metric could be the number of penetrations to a system from the outside of our firewall. If we can measure the impact in actual quantifiable loss of time or data due to a threat or attack, we have effective metrics. The larger the organization gets, the larger the number of available metrics. The bottom line is that effective metrics always deliver results and they are going to provide security to meet the business needs.

There are four main components of security metrics:
  • Results-oriented metrics analysis: The whole purpose of the metrics is that they need to lead us somewhere to improve the organization. If we don't use this metrics for analysis to get results then it's a waste of time.
  • Quantifiable performance metrics: Metrics have to be mathematically quantifiable based on different performance attributes. For example, the number of IP packets that hits our external router that they are using a spoof IP address is quantifiable.
  • Practical security policies and procedures: Security policies and procedures have to be practical, metrics need to be based on day to day realistic security policies and procedures. Metrics are going to come from our security policy. Therefore security policy is going to dictate what types of metrics we can use.
  • Strong upper-level management support: Our security metrics must have strong support from upper-level management. What would it is if we create reports based on particular metrics if there are not going to have any kind of results or any kind of budgetary intent to mitigate the problem from upper-level management.
Another couple of key metrics are KGI (Key Goal Indicator) and KPI (Key Performance Indicator) and they are used in the balanced scorecard for the board of directors.

Regards my friend and remember, if you want to improve, you have to measure with proper metrics.