A Guide to Effective Security Metrics
Version 1.0: April 2012Last reviewed: July 2015
Introduction
In today's economic environment, few, if any, institutions of higher education are escaping the need to prune programs that do not clearly and directly support high priority goals. Investments in information security program are not exempt from such scrutiny, and those responsible for this function may find themselves struggling to demonstrate strategic value and operational effectiveness, an endeavor that has been a significant challenge for the information security profession even in the best of times. What means should be used to meet this challenge? Key among these should be security metrics.
...
The chart below illustrates the linkages between the metric categories and maturity levels and it provides examples of effective metrics.
Security Program Maturity | Most Effective Metric Category | Examples |
Stage 1: few policies, procedures and controls; little measurement data available | N/A - Should focus first on clear definition of security program goals and objectives | Goals:
|
Stage 2: some policies, procedures, and controls implemented; some measurement data collected | Implementation metrics |
|
Stage 3: well-established policies, procedures, and controls; measurement data readily available | Efficiency/effectiveness metrics |
|
Stage 4: policies, procedures, and controls are well-integrated within the security program and with other institutional programs; measurement data collected as a by-product of business processes | Impact metrics |
|
...
Info |
---|
Examples of effective metrics for executives:
|
Questions or comments? Contact us.
...