Security Metrics: Critical Issues
How to gather, analyze, and present security metrics for operational improvement and budgeting.
By Derek Slater
November 12, 2012 — CSO — Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security's efficiency, effectiveness and standing in the business world.
These in-depth CSOonline and CSO Magazine articles will help you get up to speed on state-of-the-art security metrics.
Last update: 11/12/2012
The basics: Choosing and using security metrics
How to Use Metrics
Security leaders generate data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.
Presenting metrics: Answering the 'so what' question
Presenting metrics to business execs? Be sure to express outcomes in the terms your audience cares about.
Risk measurement, assessment, and management
7 common risk management mistakes!
Faulty statistical methods and other common errors that can trip up your program.
What's your Total Cost of Risk (TCOR)?
Insurance buyers have been calculating "total cost of risk" for decades. Now the equation is expanding to better cover operational risk.
The great IT security risk measurement debate, part 1
Alex Hutton (Verizon Business) and Douglas Hubbard (author of The Failure of Risk Management) discuss whether IT security risk can be accurately measured and how to improve risk management.
IT risk assessment frameworks: an introduction
OCTAVE, FAIR, NIST RMF, and TARA
Metrics and strategy
Building out your strategic security metric framework
Pete Lindstrom says follow Willie Sutton's advice and go where the money is.
Information security, value creation and the balanced scorecard
Jamil Farshchi and Ahmad Douglas of LANL spell out a management framework that ties information security strategy to the organization's mission.
Security and Business: Financial Basics
You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four common methodologies: TCO, ROI, EVA and ALE.
Return on Security Investment
Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
And a partially contrarian analysis of ROI from Bruce Schneier:
Security ROI: Fact or Fiction?
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.
Value Made Visible
At American Water, Bruce Larson uses a simple 'value protection' formula to help prioritize spending.
10 identity management metrics that matter
Good metrics help identify inefficiencies and security holes in your identity management processes. Are you tracking these ten key measures?
A Few Good Information Security Metrics
Andrew Jaquith says information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements--and effective ways to present them.
Using Metrics to Diagnose Security Problems: A Case Study
Andrew Jaquith is a Yankee Group analyst and founder of discussion site Securitymetrics.org. The following excerpt is taken from his book Security Metrics: Replacing Fear, Uncertainty, and Doubt.
and companion piece
Sample Diagnostic Questions for Finding Information Security Weaknesses
Metrics for Corporate and Physical Security Programs
Investigations, supply chain, compliance, theft and restitution and more - CSOs count on physical security metrics to evaluate their organizations' performance and to communicate security's value to other business executives.
Physical Security Risk and Countermeasures: Effectiveness Metrics
Author Thomas Norman lists ways to measure and improve your security program
Ideas You Can Steal from Six Sigma
Tips from the rigorous quality methodology for improving the effectiveness and efficiency of physical and information security.
More about metrics priorities and presentationThe Metrics Quest
Under pressure from the CFO to quantify security benefits, a CSO finds real-world measures that matter.
Seven quick-and-dirty tricks for using numbers to strengthen your case.