Information Security Governance has become a critical aspect of overall corporate governance activities. To facilitate effective governance of an organization’s information security activities, business-aligned metrics and measures need to be developed, implemented, monitored and reported to management.

That being said Information security, like risk, is a notoriously difficult area to measure, the main problem being how to measure the ‘lack of incidents’.  The issues are:

  • If the information security risk analysis is accurate, and correctly implemented then the organization should be able to avoid, or at least reduce the number and severity of, security incidents
  • If the numbers are lower than before the organization implemented the controls the organization could claim success but what if the number and severity of incidents had reduced anyway?
  • If the numbers are higher than before, does that necessarily mean the organizational controls are ineffective?  It could simply mean that the threats and impacts have increased and the organization has not kept pace

The real issue is one of interpretation. It is practically impossible to measure objectively what might have happened if the organization had not implemented / improved on the information security controls. There are some key pointers that an organization would do well to keep in mind while developing metrics to measure the effectiveness of the information security controls implemented.

Metrics need not have absolute measurements: The organization need not worry about minor variations in the measuring methods, so long as our objective of promoting improvement is met.  Benchmarking and best practice transfers are good examples of this kind of thinking.  Don’t expect to be perfect but benchmark yourself against a standard practice or other organizations who have implemented standard frameworks.

Metrics need not be expensive: It is surprising how many security-related metrics are already collected for various purposes in the average corporation by the existing tools.  A classic example for this would be how much information gets captured in the helpdesk through various incidents recorded in the organization. You only need to take some time out to dig deep into this data to get as much information as possible. It is also helpful to ensure co ordination between various departments in the organization to understand their measurement systems and reporting techniques.

Metrics need not be objective and tangible: Given the intangible nature of security awareness, it is definitely worth putting effort into the measurement of subjective factors, rather than relying entirely on easy-to-measure but largely irrelevant objective factors. Sometimes too much emphasis is put on getting numbers like how many incidents were recorded and resolved etc. While it is a good measure sometimes intangible measure like training feedbacks are also useful to look into.

Metrics should not always measure results: Most organizations are too busy in measuring the outcomes of the controls implemented like number of virus incidents or hacking attempts etc. Process inputs (e.g. the proportion of employees who have been exposed to training), process activities (e.g. the proportion of people regularly updating their antivirus software; audience satisfaction indices for awareness/training activities) and process outputs (e.g. reduction of virus incidents, better audit reports, lower losses) are all worthwhile sources of metrics. 

Conclusion:
Information security is dynamic activity. To have accurate visibility to these changes, an organization must establish, maintain, monitor, interpret and report effective metrics and measures. The organization needs to ensure that the information security mechanisms they are implementing are in times with the evolving threats that are coming up in the current business environment.

Measures and metrics that are employed to monitor the performance of information security should be adaptable and flexible to be a positive and valuable asset to the organization. Once these metrics and measures have been established, organizations also need to ensure that their reports reach the intended audience in a meaningful fashion. Otherwise, misleading information will get recognized, ineffective information security controls get implemented, and the organization is put at risk.