Versions Compared

Old Version 6

changes.mady.by.user vvogel@educause.edu

Saved on

compared with

New Version 7

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A Guide to Effective Security Metrics

Version 1.0: April 2012Last reviewed: July 2015

Introduction

In today's economic environment, few, if any, institutions of higher education are escaping the need to prune programs that do not clearly and directly support high priority goals. Investments in information security program are not exempt from such scrutiny, and those responsible for this function may find themselves struggling to demonstrate strategic value and operational effectiveness, an endeavor that has been a significant challenge for the information security profession even in the best of times. What means should be used to meet this challenge? Key among these should be security metrics.

...

The chart below illustrates the linkages between the metric categories and maturity levels and it provides examples of effective metrics.

Security Program Maturity

Most Effective Metric Category

Examples

Stage 1: few policies, procedures and controls; little measurement data available

N/A - Should focus first on clear definition of security program goals and objectives

Goals:

  • Significant reduction in sensitive data stored on desktops/laptops
  • Require all departments to have mission continuity plans

Stage 2: some policies, procedures, and controls implemented; some measurement data collected

Implementation metrics

  • % increase over time of desktops/laptops on which sensitive data scanning tool has been deployed
  • % increase over time of departments with mission continuity plans

Stage 3: well-established policies, procedures, and controls; measurement data readily available

Efficiency/effectiveness metrics

  • # of incidences of unapproved storage of sensitive data found on desktops/laptops over time
  • % of total departments with updated, tested mission continuity plans

Stage 4: policies, procedures, and controls are well-integrated within the security program and with other institutional programs; measurement data collected as a by-product of business processes

Impact metrics

  • Reduction in sensitive data exposures due to stolen or vulnerable desktops/laptops
  • Outcome of 48-hour power outage in administration building

...

Info

Examples of effective metrics for executives:

  • Percentage of IT budget spent on security as compared to peer institutions
  • Change in percentage of mission-critical information assets and functions for which security risk assessments have been completed since institution-wide risk management policy was issued
  • Change in ratio of security incidents requiring notification to total security incidents discovered since institution-wide project to minimize collection and storage of Social Security numbers was initiated

 

(question) Questions or comments? (info) Contact us.

...