Metrics: Your Information Security Yardstick

Mention metrics to most anyone in the information security industries and eyes will immediately glaze over. While there are a few adventurous souls out there, most security professionals balk at the prospect of trying to measure their security program. However, the ability to do just that is an essential part of a security program at any maturity level and a way to move your program forward. Metrics allow security stakeholders to answer important questions about the performance of the security program and, ultimately, make educated decisions regarding the program. Being able to communicate the effectiveness of your program to business leaders is an important part of a program’s identity and maturity within an organization. Generally speaking, metrics can be categorized into three types based on what they signify:

  • Effort metrics measure the amount of effort expended on security. For example:
    • training hours,
    • time spent patching systems, and
    • number of systems scanned for vulnerabilities
  • Result metrics attempt to measure the results of security efforts. Examples of result metrics include:
    • the number of days since the last data breach,
    • the number of unpatched vulnerabilities, and
    • the number of adverse audit or assessment findings.
  • Environment metrics measure the environment in which security efforts take place. These metrics provide context for the other two metrics. For example:
    • the number of known vulnerabilities
    • the number of systems

By compiling metrics, it is possible to measure the effect of your organization’s investment in security . For example, you may track the number of vulnerabilities that have been known to exist in your environment for longer than 30 days. After making improvements to your patch and configuration management processes, you should see a positive impact represented by a decrease in the vulnerability count. Similarly, budget cuts could negatively impact your security program; by demonstrating this negative impact through metrics, you will (hopefully) have a better chance at increasing your security budget in the next budgeting cycle. Remember that every organization’s security program is different and, as such, a metrics package is not one-size-fits-all. In particular, more mature programs can supply more detailed and advanced metrics; however, less mature programs can still benefit from simple metrics. No matter where your security program is on the maturity curve, metrics can give you better insight into your program’s strengths and weaknesses and, as such, will allow you to make better management decisions.