Home » Security Leadership » Metrics/Budgets

In Depth

How to Use Metrics

CSOs generate security data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.

By George K. Campbell

Page 3

3. Measures mapping: a way to identify risk mitigation strategies and evaluate their effectiveness

We are all familiar with the highway sign "Dangerous Curve, Reduce Speed Ahead." Many of the measures discussed in this story may be applied to provide the CSO and key constituents with similar caution signals. They become the earliest prompts for more in-depth analysis of trend dynamics that allow you to look at the root causes of problems, not just the symptoms.

Examples of incident trends that help diagnose risks to address include:

Increased frequency or severity of accident, crime or policy infraction rates

Reduced mean times between failures on critical equipment with increased downtime

Increased number or severity of negative background investigation rates in specific hiring populations

Excessive passwords for access to different "secure" applications, which results in shared passwords and visible posting of passwords

Abnormal response times to calls for service

Outsourcing sensitive business processes without requisite due diligence

Elimination or reduced testing of building evacuation plans, which leads to employee confusion and injury during real incidents

Degradation of timely software patch application or increased virus activity in specific client groups

Such diagnostic measures identify risks. Then a CSO needs to develop a strategy to address them. Measures mapping helps you do that by looking at areas of risk, the contributing causes to those risks and actions implemented to mitigate those risks, and then measuring the effectiveness of those actions. Measures mapping, a method of analyzing specific hazards or incidents to identify potential tactics, is a modification of countermeasures mapping guidance for licensees of the Nuclear Regulatory Commission, utilized some years ago. It takes the aggravating cause results of incident lessons-learned analyses and the high-level tasks identified to mitigate the risk and postulates measures or metrics for each countermeasure.

Figure 3 above takes on the issue of insider risk. In this example, the area of risk identified stems from the increased number of employees in a business unit who were the subject of misconduct cases. Investigations reveal that the problem stems in part from poor supervision of these employees. In addition, there's poor awareness on the part of employees of the company's business conduct policies. Mitigating actions involve the CSO and the security team as well as managers from human resources and legal departments.

There are several examples where measures maps are useful. It could be the need to cut security spending, the failure to respond to a security breach at the CEO's home, business interruptions caused by computer viruses or the frequency of workplace violence incidents. Measures mapping is a useful way for a CSO to brief constituents on a proposed risk mitigation strategy. And it enables status and cost updates in progress reporting.