Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security's efficiency, effectiveness and standing in the business world.
These in-depth CSOonline and CSO Magazine articles will help you get up to speed on state-of-the-art security metrics.
Last update: 11/12/2012
The basics: Choosing and using security metrics
Security leaders generate data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.
Presenting metrics to business execs? Be sure to express outcomes in the terms your audience cares about.
Risk measurement, assessment, and management
Faulty statistical methods and other common errors that can trip up your program.
Insurance buyers have been calculating "total cost of risk" for decades. Now the equation is expanding to better cover operational risk.
Alex Hutton (Verizon Business) and Douglas Hubbard (author of The Failure of Risk Management) discuss whether IT security risk can be accurately measured and how to improve risk management.
OCTAVE, FAIR, NIST RMF, and TARA
Metrics and strategy
Pete Lindstrom says follow Willie Sutton's advice and go where the money is.
Jamil Farshchi and Ahmad Douglas of LANL spell out a management framework that ties information security strategy to the organization's mission.
You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four common methodologies: TCO, ROI, EVA and ALE.
Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.
At American Water, Bruce Larson uses a simple 'value protection' formula to help prioritize spending.
Good metrics help identify inefficiencies and security holes in your identity management processes. Are you tracking these ten key measures?
Andrew Jaquith says information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements--and effective ways to present them.
Andrew Jaquith is a Yankee Group analyst and founder of discussion site Securitymetrics.org. The following excerpt is taken from his book Security Metrics: Replacing Fear, Uncertainty, and Doubt.
Investigations, supply chain, compliance, theft and restitution and more - CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives.
Author Thomas Norman lists ways to measure and improve your security program
Tips from the rigorous quality methodology for improving the effectiveness and efficiency of physical and information security.
More about metrics priorities and presentation
Under pressure from the CFO to quantify security benefits, a CSO finds real-world measures that matter. Steel Pistons
Seven quick-and-dirty tricks for using numbers to strengthen your case.
Survey data and benchmarks
Need numbers? We've gathered a long list of security surveys with links to results and analysis from across the industry. Covers a broad range of subjects from data protection and network security through physical security, business continuity and fraud prevention. Need security data? Find it here.
Global State of Information Security
Data and analysis from the annual worldwide survey conducted by CSO, CIO and PricewaterhouseCoopers.
- 2012 results and analysis: Are you a security leader—really?
- 2011 results and analysis: Business partners, cloud security, and more
- 2010 results and analysis: Social networking peril
- 2008 results
- 2007 results
- 2006 results
- 2005 results
- 2004 results
State of the CSO2011 results and analysisThe rise of risk management [PDF - free Insider registration required]2010 results and analysis Progress and peril 2009 results Influence grows; will it last?2008 results Powering up!
Our exclusive survey on risk management and security. Data on CSO responsibilities, maturity of organizational security policies, and more.
What do you need to measure? What metrics should CSO explore next? Email Editor Derek Slater at firstname.lastname@example.org