Security Metrics: Critical Issues
How to gather, analyze, and present security metrics for operational improvement and budgeting.
By Derek Slater
November 12, 2012 — CSO — Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security's efficiency, effectiveness and standing in the business world.
These in-depth CSOonline and CSO Magazine articles will help you get up to speed on state-of-the-art security metrics.
Last update: 11/12/2012
The basics: Choosing and using security metrics
How to Use Metrics
Security leaders generate data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.
Presenting metrics: Answering the 'so what' question
Presenting metrics to business execs? Be sure to express outcomes in the terms your audience cares about.
Risk measurement, assessment, and management
7 common risk management mistakes!
Faulty statistical methods and other common errors that can trip up your program.
What's your Total Cost of Risk (TCOR)?
Insurance buyers have been calculating "total cost of risk" for decades. Now the equation is expanding to better cover operational risk.
The great IT security risk measurement debate, part 1
Alex Hutton (Verizon Business) and Douglas Hubbard (author of The Failure of Risk Management) discuss whether IT security risk can be accurately measured and how to improve risk management.
IT risk assessment frameworks: an introduction
OCTAVE, FAIR, NIST RMF, and TARA
Metrics and strategy
Building out your strategic security metric framework
Pete Lindstrom says follow Willie Sutton's advice and go where the money is.
Information security, value creation and the balanced scorecard
Jamil Farshchi and Ahmad Douglas of LANL spell out a management framework that ties information security strategy to the organization's mission.
Financial metrics
Security and Business: Financial Basics
You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four common methodologies: TCO, ROI, EVA and ALE.
Return on Security Investment
Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
And a partially contrarian analysis of ROI from Bruce Schneier:
Security ROI: Fact or Fiction?
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.
Value Made Visible
At American Water, Bruce Larson uses a simple 'value protection' formula to help prioritize spending.
Operational metrics
10 identity management metrics that matter
Good metrics help identify inefficiencies and security holes in your identity management processes. Are you tracking these ten key measures?
A Few Good Information Security Metrics
Andrew Jaquith says information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements--and effective ways to present them.
Using Metrics to Diagnose Security Problems: A Case Study
Andrew Jaquith is a Yankee Group analyst and founder of discussion site Securitymetrics.org. The following excerpt is taken from his book Security Metrics: Replacing Fear, Uncertainty, and Doubt.
and companion piece
Sample Diagnostic Questions for Finding Information Security Weaknesses
Metrics for Corporate and Physical Security Programs
Investigations, supply chain, compliance, theft and restitution and more - CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives.
Physical Security Risk and Countermeasures: Effectiveness Metrics
Author Thomas Norman lists ways to measure and improve your security program
Ideas You Can Steal from Six Sigma
Tips from the rigorous quality methodology for improving the effectiveness and efficiency of physical and information security.
More about metrics priorities and presentation
The Metrics QuestUnder pressure from the CFO to quantify security benefits, a CSO finds real-world measures that matter.
Steel Pistons
Seven quick-and-dirty tricks for using numbers to strengthen your case.
Security metrics are a challenge that CSOs must meet head-on. Here is unmatched depth for identifying effective metrics, collecting them, presenting them, and using them for operational improvement and for budgeting purposes.
Security metrics: Critical issues
Case studies, innovative ideas, finanical and operational metrics, effective presentation—the Web's best practical guide to security and operational risk metrics
The great IT risk measurement debate
Alex Hutton and Doug Hubbard on what metrics you have, what you need, and what you can do about it
The security data and survey directory
5 steps for communicating security's value to nonsecurity people
Security and business financial and budgeting basics
Great information security metrics
Metrics for physical security programs
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Security Analytics Video
- B2B Integration on Cloud: Real World Solutions and Technology Advances
- Virtualization Boosts SMBs
- #FFSec: Infosec pros who bring value to Twitter
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - B-Sides Boston is Saturday
- Leaving CSO, Heading to Akamai
More Salted Hash with Bill Brenner
