- Overview of Metrics Program
- Purpose, Approach, and Objectives
- Benefits of Using Metrics
- Metrics Types
- Data Management Concerns
- Stakeholder Interest Identification
- Goals and Objectives Definition
- Security Policies, Guidance, and Procedures Review
- System Security Program Implementation Review
- Metrics Development and Selection
- Establishing Performance Targets
- Feedback within Metrics Development Process
- Metrics Program Implementation
Benefits of Using Metrics
A security metrics program can provide an organization with a number of organizational and financial benefits. An organization can improve security accountability by deploying security metrics. The process of data collection and reporting will enable the management to pinpoint specific technical, operational, or management controls that are not being used or are used incorrectly. Security metrics can be created to measure each aspect of an organization’s security. For example, the results of risk assessments, penetration testing, security testing and evaluation, and other security-related activities can be quantified and used as data sources for metrics. Using the results of the metrics analysis, program managers and system owners can isolate problems, use collected data to justify investment requests, and then target investments specifically to the areas needing improvement. Use of security metrics will allow an organization to measure successes and failures of past and current security investments. Metrics will provide quantifiable data that will support allocation of resources for future investments. By using metrics to target security investments, an organization can get the best value from available resources.
Security metrics can also help determine the effectiveness of implemented security processes, procedures, and controls. They do this by relating the results of security activities such as incident data and revenue lost to cyber attacks to respective security requirements and security investments.
It is important to realize that the development of these types of metrics happens over time, sometimes years. Metric development goes through an evolutionary process and is directly related to the maturity of the security program and the resources allocated to it. Incremental benefits will be achieved as the metrics are developed and mature over time.