Versions Compared

Old Version 7

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 8

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This guide defines security metrics, describes characteristics of effective metrics, discusses different types of metrics and where they are best used, and provides tips for communicating metrics to executives. Further information and guidance is provided in the "7 Things You Should Know about Information Security Metrics" publication and links to additional helpful references are provided on the EDUCAUSE Security Metrics resource page.

Definition of Security Metrics

...

While there are multiple ways to categorize metrics, guidance from the National Institute for Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1) divides security metrics into three categories and links each to levels of security program maturity. The categories are:

...

The chart below illustrates the linkages between the metric categories and maturity levels and it provides examples of effective metrics.

Security Program Maturity

Most Effective Metric Category

Examples

Stage 1: few policies, procedures and controls; little measurement data available

N/A - Should focus first on clear definition of security program goals and objectives

Goals:

  • Significant reduction in sensitive data stored on desktops/laptops
  • Require all departments to have mission continuity plans

Stage 2: some policies, procedures, and controls implemented; some measurement data collected

Implementation metrics

  • % increase over time of desktops/laptops on which sensitive data scanning tool has been deployed
  • % increase over time of departments with mission continuity plans

Stage 3: well-established policies, procedures, and controls; measurement data readily available

Efficiency/effectiveness metrics

  • # of incidences of unapproved storage of sensitive data found on desktops/laptops over time
  • % of total departments with updated, tested mission continuity plans

Stage 4: policies, procedures, and controls are well-integrated within the security program and with other institutional programs; measurement data collected as a by-product of business processes

Impact metrics

  • Reduction in sensitive data exposures due to stolen or vulnerable desktops/laptops
  • Outcome of 48-hour power outage in administration building

Metrics for Executives

Executive awareness of security concerns is almost certainly assured when the organization experiences a major data breach. Although such an event often provides a favorable environment for furthering the security agenda, given a choice, most information security professionals would prefer a more proactive approach. Major improvements in an organization's security posture can take a very long time to implement; short bursts of executive attention on security do not provide the sustained support needed for long-term changes. But, just how does one build deeper awareness and appreciation of security issues at the highest management echelon?

...