In Depth

The Security Metrics Collection

Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security's efficiency, effectiveness and standing in the business world.

October 27, 2008CSO — Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security's efficiency, effectiveness and standing in the business world.

These in-depth CSOonline and CSO Magazine articles will help you get up to speed on state-of-the-art security metrics.

The basics: Choosing and using metrics

How to Use Metrics
Security leaders generate data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.

Financial metrics

Security and Business: Financial Basics
You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four common methodologies: TCO, ROI, EVA and ALE.

Return on Security Investment
Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
And a partially contrarian analysis of ROI from Bruce Schneier:
Security ROI: Fact or Fiction?
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.

Value Made Visible
At American Water, Bruce Larson uses a simple 'value protection' formula to help prioritize spending.

Operational metrics

A Few Good Information Security Metrics
Andrew Jaquith says information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements--and effective ways to present them.

Using Metrics to Diagnose Security Problems: A Case Study
Andrew Jaquith is a Yankee Group analyst and founder of discussion site Securitymetrics.org. The following excerpt is taken from his book Security Metrics: Replacing Fear, Uncertainty, and Doubt.
and companion piece
Sample Diagnostic Questions for Finding Information Security Weaknesses

Metrics for Corporate and Physical Security Programs
Investigations, supply chain, compliance, theft and restitution and more - CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives.

Ideas You Can Steal from Six Sigma
Tips from the rigorous quality methodology for improving the effectiveness and efficiency of physical and information security.

More about metrics priorities and presentation

The Metrics Quest
Under pressure from the CFO to quantify security benefits, a CSO finds real-world measures that matter.

Steel Pistons
Seven quick-and-dirty tricks for using numbers to strengthen your case.

security metrics

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors