Targets and metrics for information security are not easy to prepare. Most of IT and Security operations are based on maintenance, and they are dependent on a large number of outside factors. Here is an example on how to approach the problem.
Last week Shortinfosec.net reached the 1000th visitor. Although it is a ridiculously small number for a serious site, I ask all readers to be patient, since this site is alive for only a couple of months, and it's more of a hobby.
What is important for is to measure performance and set targets. And the only way to do that is to do establish metrics and update them. The current ShortInfosec.net target is to increase the total monthly visits by 100% each month. Here are our monthly statistics (courtesy of sitemeter.com).
Targets and metrics are not always easy to prepare, especially in information technology. Most of IT and Security operations are based on maintenance and are dependent on outside factors. Another thing is that targets are very difficult to set if metrics are not measured to establish a baseline.
So, what to measure? Here is a simple rule set of choosing Information Security metrics
- Measuring must be a continuous process. If there are gaps in your measurements, they are useless for analysis and for setting targets
- Identify what to measure. This can be done via two approaches:
- Define list of objectives which you want to reach and identify which metrics are needed to measure the achievement of these objectives. This approach focuses on the relevant objectives that need to be observed, but usually it is more difficult to measure all necessary metrics.
- Define list of metrics that can be measured and define which objectives can be concluded from them. This approach focuses on measurable metrics, but the observable objectives may not be entirely relevant to the entire process.
- Delegate responsibility for measurement or set-up a system that will automatically measure and log all relevant data
The Information Security Manager identified that the following metrics can be collected:
- Number of reported incidents within the quarter
- Number of critical incidents within the quarter
- Number of identified risks in audits, controls and risk analysis within the quarter
- Number of identified critical risks in audits, controls and risk analysis within the quarter
- Number of identified attacks within the quarter
- Riskiest business areas - based on metrics 2 and 4, the areas with most critical risks can be identified
- Employee awareness - based on metric 1 and 3, security awareness can be evaluated based on the number of reported incidents.
- Company exposure - based on metrics 2, 4 and 5, the security exposure of the company can be evaluated
- Number of reported incidents - should increase or maintain level in each next evaluation period
- Number of critical incidents - should decrease in each next evaluation period
- Number of identified risks in audits, controls and risk analysis - should decrease in each next evaluation period
- Number of identified critical risks in audits, controls and risk analysis - should decrease in each evaluation period
- Number of identified attacks should decrease in each evaluation period
I would be very happy to discuss any example scenario sent by the readers to the comments
Talkback and comments are most welcome