Security metrics are used to examine the effectiveness of goals and objectives established in an organization's information security policy
As organizations are moving from reactive-based element management to more sophisticated, proactive business-oriented service and process management approach, an organization's security strategy becomes more involved with defining policies for configuration of network devices, provisioning of people, and optimization of processes. Implementation of powerful up-to-date hardware and software solutions designed for impending security incidents and preventing viruses, worms or other malware related outbreaks play a significant yet not crucial role in building an organization's security infrastructure. The new dynamic threat environment requires greater security effectiveness, business requires greater service delivery and process support, and compliance requires greater visibility. The impetus to measure security is being driven by the changing nature of IT.
Security can be measured throughout the entire incident timeline: pre-incident (involving security vulnerabilities detection, and taking measures to prevent security breach), during an incident (involving activities to determine the scope of data assets that could be potentially breached and making fast and accurate decisions to eliminate the security exposure) and post-incident (involving measures to evaluate the inflicted damage and taking organizational, managerial and technical measures to prevent future data leakage).
Organizational security metrics may be classified in several major categories: Financial Impact Category, Employee Compliance, Computer Systems Security Compliance, and Security Policy Effectiveness Level. Besides, efficient security measurements should take into consideration an organization's Security Incidents history as well as Security Benchmarking data.
The key financial metric for analyzing security efficiency is Return on Security Investment (ROSI). This metric enables an organization's management to evaluate the effectiveness of security investment and compare its financial benefit with the cost of the investment. Another crucial financial metric is Value-at-Risk: the quantification based on the expected frequency with which attacks seem likely to happen and the loss given event (LGE) provoked by a single attack.
Employee perspective provides instruments for analyzing employee security awareness within an organization. It includes such measurements as Employee attitude toward the security policy in place, Security policy awareness level, User security compliance, as well as Password policy implementation.
Computer Systems Security Compliance category evaluates the effectiveness of existing physical network infrastructure, installed security software and devices by determining the level of element compliance with an organization's security policy.
Security Policy Effectiveness metrics analyze Security Incident Forensics (the number of incidents attributable to policy failures divided by the number of policy compliance failures), Remediation Time (time between compromise discovery and completion of system remediation), and vulnerability level (the number of vulnerabilities found on policy non-compliant devices divided by the number of vulnerabilities found on policy-compliant devices).
Security metrics data can be obtained in different ways, including various survey techniques (expert interviews, self assessments, management workshops etc.), key indicator approaches, internal measurement approach, coherence analysis between sources and drivers of security and privacy risks and the resulting losses, etc. It is advisable to prioritize the achieved security metrics based on the risk priority numbers (probability of occurrence, probability of detection, and severity of impact).
The resulting security balance scorecard provides efficient tools for assessing the current security status, developing operational best practices, as well as guiding future security research.