2.2 KiB
Metrics for Information Security
Security Metrics by Andrew Jaquith 2007 Security Metrics that Count – for Twilio Austin Songer's List of Information Security Metrics to Track
CISSP study guide (p. 88).: When a countermeasure or safeguard is implemented, security metrics should show a reduction in unwanted occurrences or an increase in the detection of attempts. Otherwise, the security mechanism is not providing the expected benefit. The act of measuring and evaluating security metrics is the practice of assessing the completeness and effectiveness of the security program. This should also include measuring it against common security guidelines and tracking the success of its controls.
Choosing to monitor or measure something the security staff has little control over or that is based on external drivers, can cause significant problems.
W. Krag Brotby and Gary Hinson (PRAGMATIC Security Metrics, 2013) state metrics should be:
- Predictive: They help us deal with situations, make decisions and improve things for the future;
- Relevant: To the subject matter i.e. information security, governance, risk, compliance, control ...;
- Actionable: They tell us things that we can actually do something about, apart from saying “Oh that’s nice”!;
- Genuine: The numbers are fact-based and cannot easily be faked or manipulated for some hidden agenda;
- Meaningful: To the intended audience/s, without creating a lot of head-scratching and hand-waving;
- Accurate: Sufficiently true and precise to allow proportional control (not just stop/go but how fast?);
- Timely: Security is a dynamic area, so we need up-to-date information at the point decisions have to be made;
- Independent: Measured dispassionately and objectively, based on verifiable evidence; and
- Cost-effective: Generate more value than they cost to gather, analyze, present and use.
Standards and Frameworks: