Security Metrics: Critical Issues

Numbers are the language of business. Fortunately, security metrics are growing ever more sophisticated. Knowing what to measure, how to measure it and how to communicate those metrics can help improve security’s efficiency, effectiveness and standing in the business world.

These in-depth CSOonline and CSO Magazine articles will help you get up to speed on state-of-the-art security metrics.

Last update: 11/12/2012

The basics: Choosing and using security metrics

How to Use Metrics

Security leaders generate data every day. Knowing what to look for and how to analyze it can spell success for a security operation and the organization it serves.

Presenting metrics: Answering the ‘so what’ question

Presenting metrics to business execs? Be sure to express outcomes in the terms your audience cares about.

Risk measurement, assessment, and management

7 common risk management mistakes!

Faulty statistical methods and other common errors that can trip up your program.

What’s your Total Cost of Risk (TCOR)?

Insurance buyers have been calculating “total cost of risk” for decades. Now the equation is expanding to better cover operational risk.

The great IT security risk measurement debate, part 1

Alex Hutton (Verizon Business) and Douglas Hubbard (author of The Failure of Risk Management) discuss whether IT security risk can be accurately measured and how to improve risk management.

IT risk assessment frameworks: an introduction

OCTAVE, FAIR, NIST RMF, and TARA

Metrics and strategy

Building out your strategic security metric framework

Pete Lindstrom says follow Willie Sutton’s advice and go where the money is.

Information security, value creation and the balanced scorecard

Jamil Farshchi and Ahmad Douglas of LANL spell out a management framework that ties information security strategy to the organization’s mission.

Financial metrics

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security’s value to your company. Here are pros and cons of four common methodologies: TCO, ROI, EVA and ALE.

Return on Security InvestmentAnd a partially contrarian analysis of ROI from Bruce Schneier:Security ROI: Fact or Fiction?

Sure, determining ROSI (return on security investment) is difficult. But it’s also the key to selling your budget. Here’s our three-step guide to getting started.

Bruce Schneier says ROI is a big deal in business, but it’s a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.

Value Made Visible

At American Water, Bruce Larson uses a simple ‘value protection’ formula to help prioritize spending.

Operational metrics

10 identity management metrics that matter

Good metrics help identify inefficiencies and security holes in your identity management processes. Are you tracking these ten key measures?

A Few Good Information Security Metrics

Andrew Jaquith says information security metrics don’t have to rely on heavy-duty math to be effective, but they also don’t have to be dumbed down to red, yellow, green. Here are five smart measurements–and effective ways to present them.

Using Metrics to Diagnose Security Problems: A Case Studyand companion pieceSample Diagnostic Questions for Finding Information Security Weaknesses

Andrew Jaquith is a Yankee Group analyst and founder of discussion site Securitymetrics.org. The following excerpt is taken from his book Security Metrics: Replacing Fear, Uncertainty, and Doubt.

Metrics for Corporate and Physical Security Programs

Investigations, supply chain, compliance, theft and restitution and more – CSOs count on physical security metrics to evaluate their organizations’ performance and to communicate security’s value to other business executives.

Physical Security Risk and Countermeasures: Effectiveness Metrics

Author Thomas Norman lists ways to measure and improve your security program

Ideas You Can Steal from Six Sigma

Tips from the rigorous quality methodology for improving the effectiveness and efficiency of physical and information security.

More about metrics priorities and presentation

The Metrics Quest

Under pressure from the CFO to quantify security benefits, a CSO finds real-world measures that matter.Steel Pistons

Seven quick-and-dirty tricks for using numbers to strengthen your case.

Survey data and benchmarks

The security research and data directory

Need numbers? We’ve gathered a long list of security surveys with links to results and analysis from across the industry. Covers a broad range of subjects from data protection and network security through physical security, business continuity and fraud prevention. Need security data? Find it here.

Global State of Information Security

Data and analysis from the annual worldwide survey conducted by CSO, CIO and PricewaterhouseCoopers.

• 2012 results and analysis: Are you a security leader—really?
• 2011 results and analysis: Business partners, cloud security, and more
• 2010 results and analysis: Social networking peril
• 2008 results
• 2007 results
• 2006 results
• 2005 results
• 2004 results

State of the CSO2011 results and analysisThe rise of risk management [PDF – free Insider registration required]2010 results and analysis Progress and peril 2009 results Influence grows; will it last?2008 results Powering up!

Our exclusive survey on risk management and security. Data on CSO responsibilities, maturity of organizational security policies, and more.

What do you need to measure? What metrics should CSO explore next? Email Editor Derek Slater at dslater@cxo.com