- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Establishing Performance Targets
After applicable metrics are identified and described, performance targets should be identified in an indicator line of the metric form. Performance targets establish a goal by which success is measured. The degree of success is based on the metric result’s proximity to the stated performance target.
The mechanics of establishing performance targets differ for implementation metrics and the other three types of metrics (effectiveness, efficiency, and impact). For implementation metrics, targets are set to 100 percent completion of specific tasks. Setting performance targets for efficiency, effectiveness, and impact is more complex, because these aspects of the security operation do not assume a specific level of performance.
Identified security management personnel will need to apply qualitative and subjective reasoning to determine appropriate levels of security effectiveness and efficiency, and to use these levels as targets of performance for applicable metrics. All organizations desire effective implementation of security controls, efficient delivery of security services, and minimal impact of security events on its mission. However, the associated measurements will be different for different systems, programs, and controls. An organization will need to establish performance targets for relevant metrics, and should be ready to adjust these targets, based on actual measurements, once they are obtained.
Figure 6 Example of Performance Levels
An organization may also decide not to set targets for these metrics until the first measurement is collected so that it can be used as a performance baseline. Once the baseline is obtained and corrective actions identified, appropriate and realistic measurement targets and implementation milestones can be defined. If performance targets cannot be established after obtaining the baseline, management should evaluate whether the measured activities and corresponding metrics are providing the expected value for the an organization security program.