Developing Metrics and Measures for Information Security Risk

June 1, 2010 08:34 by nirav

Information Security Governance has become a critical aspect of overall corporate governance activities. To facilitate effective governance of an organization’s information security activities, business-aligned metrics and measures need to be developed, implemented, monitored and reported to management.

That being said Information security, like risk, is a notoriously difficult area to measure, the main problem being how to measure the ‘lack of incidents’. The issues are:

If the information security risk analysis is accurate, and correctly implemented then the organization should be able to avoid, or at least reduce the number and severity of, security incidents

If the numbers are lower than before the organization implemented the controls the organization could claim success but what if the number and severity of incidents had reduced anyway?

If the numbers are higher than before, does that necessarily mean the organizational controls are ineffective? It could simply mean that the threats and impacts have increased and the organization has not kept pace

The real issue is one of interpretation. It is practically impossible to measure objectively what might have happened if the organization had not implemented / improved on the information security controls. There are some key pointers that an organization would do well to keep in mind while developing metrics to measure the effectiveness of the information security controls implemented.

Metrics need not have absolute measurements: The organization need not worry about minor variations in the measuring methods, so long as our objective of promoting improvement is met. Benchmarking and best practice transfers are good examples of this kind of thinking. Don’t expect to be perfect but benchmark yourself against a standard practice or other organizations who have implemented standard frameworks.

Metrics need not be expensive: It is surprising how many security-related metrics are already collected for various purposes in the average corporation by the existing tools. A classic example for this would be how much information gets captured in the helpdesk through various incidents recorded in the organization. You only need to take some time out to dig deep into this data to get as much information as possible. It is also helpful to ensure co ordination between various departments in the organization to understand their measurement systems and reporting techniques.

Metrics need not be objective and tangible: Given the intangible nature of security awareness, it is definitely worth putting effort into the measurement of subjective factors, rather than relying entirely on easy-to-measure but largely irrelevant objective factors. Sometimes too much emphasis is put on getting numbers like how many incidents were recorded and resolved etc. While it is a good measure sometimes intangible measure like training feedbacks are also useful to look into.

Metrics should not always measure results: Most organizations are too busy in measuring the outcomes of the controls implemented like number of virus incidents or hacking attempts etc. Process inputs (e.g. the proportion of employees who have been exposed to training), process activities (e.g. the proportion of people regularly updating their antivirus software; audience satisfaction indices for awareness/training activities) and process outputs (e.g. reduction of virus incidents, better audit reports, lower losses) are all worthwhile sources of metrics.

Conclusion:
Information security is dynamic activity. To have accurate visibility to these changes, an organization must establish, maintain, monitor, interpret and report effective metrics and measures. The organization needs to ensure that the information security mechanisms they are implementing are in times with the evolving threats that are coming up in the current business environment.

Measures and metrics that are employed to monitor the performance of information security should be adaptable and flexible to be a positive and valuable asset to the organization. Once these metrics and measures have been established, organizations also need to ensure that their reports reach the intended audience in a meaningful fashion. Otherwise, misleading information will get recognized, ineffective information security controls get implemented, and the organization is put at risk.

Currently rated 5.0 by 1 people

Currently 5/5 Stars.
1
2
3
4
5

Governance, Risk, and Compliance Management: An Operational ApproachOverview on Risk Management and Approach to Risk ManagementCost of Governance Risk and Compliance

Comments

June 6. 2010 22:35

How do I follow this blog?

Jim Brady

July 25. 2010 13:56

Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up!

John

August 23. 2010 03:55

I love your post

Ricky

August 23. 2010 10:20

Love your blog I'm going to come back

Steve

November 2. 2010 15:23

Thanks for posting this. i really enjoyed reading this.

Cross cutting shredder

November 2. 2010 22:35

Great site design!!!! Whattheme did you use?

Which universal orlando resort hotel is the best

November 4. 2010 04:53

Hey =) that was some good reading =)

Compact refrigerator

November 4. 2010 07:53

I want you to know, your post goes to the nitty-gritty of the issue. Your clarity leaves me wanting to know more. Just so you know, i will instantly grab your feed to keep up to date with your online blog. Sounding Out thanks is simply my little way of saying great job for a marvellous resource. Let In my warmest wishes for your future article.

Eliza Burbank

November 6. 2010 20:34

Thanks for posting this. i really enjoyed reading this.

Harry Potter Half Blood Prince Photoshoot HD Wallpaper

November 17. 2010 03:38

I love your blog

Someone

November 25. 2010 05:33

Hey check out my blog too. I hope i have some cool stuff too

Aprilla RSV 1000 R Factory HD Wallpaper

November 25. 2010 06:07

Great site design!!!! Whattheme did you use?

Dwvcs top 5 holiday vacation spots for the christmas season part i

November 25. 2010 09:33

This site is cool. i visit here evaryday.

Emo

November 25. 2010 15:50

Its a pity you dont have a donate button, i would donate some =)

Facebook statuses

November 26. 2010 20:12

Its a pity you dont have a donate button, i would donate some =)

Tiffen w3 universal folding dolly with handle

November 26. 2010 20:37

This site is cool. i visit here evaryday.

Very funny cats 39

November 26. 2010 21:16

Thanks for posting this. i really had good time reading this.

Zeikos mb d80 vertical multi power battery grip 2 en el3e batteries charger 16gb card accessory kit for nikon d80 d90 digital slr cameras

December 15. 2010 09:11

Is this really the last Harry Potter film that Harry will appear in?

Project Management Software

December 25. 2010 11:24

If you don't mind me asking I just wanted to find out on what is the difference between blogenenigne and wordpress blogs? Is it easier to use or more efficient? I amseeing a lot of blogs powered by this software popping up lately and wondering if it is better or not? Thanks...

SLR Camera

December 29. 2010 23:39

Every time I come to RetroViz Demo Blog | Welcome to BlogEngine.NET 1.5.0 you have another exciting post up to read. One of my friends was talking to me about this topic a few weeks ago, so I think I will send my friend the url here and see what they say.

Writing

January 21. 2011 23:04

This site is great. i visit here evaryday.

Tutorial on lead me to the cross mighty to save

January 22. 2011 02:21

I loved this post

Precision design ew 78d hard lens hood cleaning kit for canon ef 28 200mm ef s 18 200mm is usm lens

January 22. 2011 03:15

Thanks for posting this. i really enjoyed reading this.

Bored facebook statuses

February 2. 2011 14:12

Thanks,have a good time in diablo 2!

diablo 2 cd key

February 19. 2011 23:02

thanks for information buddy. this information very helpful for me, thanks for this.

free sms

February 21. 2011 05:42

thanks for information buddy.this information is very helpful for me.

bulk sms

February 24. 2011 11:18

Great post! indeed!

Photo editing tutorial an answer to a readers question

March 1. 2011 20:50

Great post! indeed!

Heartache facebook statuses

March 4. 2011 02:42

Hey great stuff, thank you for sharing this useful information and i will let know my

friends as well.

send valentine day flower Netherlands

March 4. 2011 03:13

Where can i find your rss feed?

Funny facebook statuses

March 9. 2011 08:39

Where can i find your rss feed?

Christian facebook statuses

March 10. 2011 00:26

Please write more of this. I largely enjoyed it.

Purrrr exotic eyes cat eyes cheetah print false eyelashes dancer stripper

March 11. 2011 22:09

Where can i find your rss feed?

How to lose weight after a pregnancy learn how to be a sexy new mommy

March 19. 2011 18:33

You should really moderate the comments here

video game tester job

March 21. 2011 06:09

Interesting post :)

old women

March 21. 2011 15:25

teresting post :)

thomas sabo

March 22. 2011 21:09

Great post! indeed!

Helping behavior field experiment

March 26. 2011 20:33

thank you for this.. by the way, your layout is great.

vigrx plus

March 27. 2011 02:19

Love your blog I'm like your post. it is very teresting post.

business trip

March 27. 2011 22:56

Amazing post. It contains some good stuffs those are really useful to me. I love your post. It would be great to visit again in your next post. When you are starting for the second?

Anyway have a nice time.

Tourism marketing

March 27. 2011 22:58

This is really well organized post. I really like your strategy to present the information through blogging. Thanks.

Space travel

April 2. 2011 02:47

Where can i find your rss feed?

Dirty One Liners funny jokes

May 8. 2011 16:57

Online therapy changed my life ! At http://www.fixingu.com all psychologists are very professional and will make you feel as their friend :)

professional therapists

May 21. 2011 05:03

Well, it's about time somebody had the incentive to write about this. Thanks so much, after researching for ages I was giving up hope of finding any useful information about it.

photos of mountains

June 17. 2011 23:35

It is a interesting post .

bangla blog

June 17. 2011 23:37

This post is important for me. I am ambitious to know more.

bangla blog

June 18. 2011 00:44

Do you have any more info on this?

disneyland hotel packages

June 22. 2011 20:50

Thanks for posting this. i really enjoyed reading this.

Thomas Sabo Charms

June 24. 2011 01:26

This is undoubtedly a great read for me. I am going to subscribe you Rss feeds.

Sunshine Coast limo

June 29. 2011 20:33

Very useful info. Hope to see more posts soon!

twentynine palms motels

July 4. 2011 22:40

I was very pleased to find this site. I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post.

pc support specialist

July 7. 2011 19:39

Thanks for sharing informative post. I am going to share and subscribe rss feeds.

Anaheim Limousine

August 4. 2011 04:11

hiya ,
i think i found a wonderful and powerful blog in a day. i really like this blog
thanks a lot owner of the blog.

Toronto airport hotels

August 6. 2011 21:58

Your blog looks fairly informative. I appreciated it. Much valuable material. I read with great interest.Would you please tell me how can I get your rss site?

Healthcare Social Network

August 11. 2011 22:51

This is actually my very first time i visit here. I found a lot of interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I suppose I'm not the only one having all of the enjoyment here! keep up the good work.

hcg fat loss

August 12. 2011 03:11

Your post about this would definitely be of interest to my readers who are looking for resorts and hotels, luxury resort hotels, destination resort and vacation destinations.

fine resorts and hotels

August 12. 2011 03:14

You made some decent points there. I looked on the internet for the issue and found most individuals will go along with with your website.

nespresso reviews

August 17. 2011 07:32

Pingback from bilivacocu.wordpress.com

bilivacocu

bilivacocu.wordpress.com

August 17. 2011 10:40

Pingback from weeklystandard.icafcoalition.org

| Weekly Standard

weeklystandard.icafcoalition.org

August 17. 2011 14:32

I should really be working

Stevie

August 18. 2011 17:56

I review a great point about Developing Metrics and Measures for Information Security Risk keep it up these type of interesting topic.
Thanks for publish this topic.

Printed bed sheet manufacturer in India

August 20. 2011 19:16

This web site is really a walk-through for all of the info you wanted about this and didn’t know who to ask. Glimpse here, and you’ll definitely discover it.

trading ideas

August 22. 2011 23:16

Your post about this would definitely be of interest to my readers who are looking for resorts and hotels, luxury resort hotels, destination resort and vacation destinations.

fine resorts and hotels

August 28. 2011 07:28

Totally Great blog post. You have gained a completely new reader. Pls continue this great work and I look forward to more of your great posts.

CareShare

September 10. 2011 03:46

An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers

carry trade

September 13. 2011 10:13

, the main problem being how to measure the ‘lack of incidents’. The issues are:

ray bans

September 17. 2011 23:56

Thanks for sharing the issue of information security and i think you share a key point of issue and share a right information of security.

Printed bed sheet manufacturer in India

September 19. 2011 23:42

You have added new post here and this is very good. Thanks.

Teeth Implants

September 23. 2011 23:24

Your article is good. I learned a lot from this. Keep up the good work.

Keeping Away from Anxieties

October 2. 2011 11:12

By the way breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality.

custom made essays

October 2. 2011 20:02

You should take part in a contest for one of the best blogs on the web. I will recommend this site!

Healthcare Social Network

October 3. 2011 08:23

This is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would want…HaHa). You definitely put a new spin on a topic thats been written about for years. Great stuff, just great!

in home personal training

October 5. 2011 22:07

Thanks for sharing this valuable post i think Developing Metrics and Measures for Information is always on Security Risk.Keep it up these interesting topics.

Graduate programs in Dubai

October 9. 2011 19:01

Excellent read, I just passed this onto a friend who was doing a little research on that. And he actually bought me lunch because I located it for him smile So let me rephrase that: Thanks for lunch!

lofoten tourist

October 10. 2011 10:17

thanks for sharing....

[url=http://watch-pacquiao-vs-marquez-3-now.blogspot.com/]watch pacquiao vs marquez 3 online live streaming[/url]

[url=http://watch-pacquiao-vs-marquez-3-now.blogspot.com/2011/10/pacquiao-vs-marquez-3-face-off-with-max.html]pacquiao vs marquez[/url]

[url=http://watch-pacquiao-vs-marquez-3-now.blogspot.com/2011/10/pacquiao-vs-marquez-3-face-off-with-max.html]pacquiao vs marquez 3[/url]

[url=http://donairevsnarvaez.blogspot.com/]donaire vs narvaez[/url]

[url=http://investmentfuture.wordpress.com/2011/09/25/bestinvestment-unitedgolddirect/]best investment is united gold direct[/url]

[url=http://investmentfuture.wordpress.com/2011/09/19/united-gold-direct-solid-investment/]united gold direct your source solid investment[/url]

[url=http://investmentfuture.wordpress.com/2011/09/12/unitedgold-direct/]united gold direct gold direct united[/url]

[url=http://investmentfuture.wordpress.com/2011/09/11/united-gold-direct/]united gold direct your solid future[/url]

[url=http://investmentfuture.wordpress.com/2011/09/10/unitedgolddirect/]united gold direct[/url]

united gold direct

October 25. 2011 07:20

I am very much pleased with the contents mentioned.I wanted to thank for this great article. I enjoyed every little bit part of it and I will be waiting for the new updates.

Lofoten Islands

October 31. 2011 11:40

Pingback from nespressomachinereviews.info

Stomach Weight Reduction Advice That Work | Espresso Machine Reviews

nespressomachinereviews.info

November 4. 2011 09:17

this one is my favorite post. I think it will help me a lot in my further studies and research. Very well written I appreciate & must say good job.

Soup Diet

November 4. 2011 12:43

I was very encouraged to find this site. The reason being that this is such an informative post. I wanted to thank for this informative analysis of the subject. I ate every bit of it and I submitted your site to some of the biggest social networks so others can find this blog.

mackay self contained accommodation

November 5. 2011 08:30

I must say that overall I am really impressed with this blog.It is easy to see that you are impassioned about your writing. I wish I had got ability to write. I look forward to more updates and will be returning.

EVENT STAFFING

November 10. 2011 21:44

Thanks a lot for enjoying this beauty article with me. I am apreciating it very much! Looking forward to another great article. Good luck to the author! all the best!

campervan hire australia

November 11. 2011 01:27

It is a very informative and useful post thanks it is good material to read this post increases my knowledge.Really good site, where did you come up with the info in this summary? Im glad I found it though, ill be checking back soon to see what other articles.

backpacker in australia

November 11. 2011 01:57

nice website keep it up!

http://www.clarencehub.info/watchpacquiaovsmarquez3livestream/ http://www.clarencehub.info/aboutus/ http://www.clarencehub.info/privacypolicy/ http://www.clarencehub.info/category/gamereviews/ http://www.clarencehub.info/category/informationtechnolgy/ http://www.clarencehub.info/category/sports/

watch pacquiao vs marquez 3 live

November 12. 2011 12:11

Good point. NIce piece

Bradly

November 14. 2011 19:08

If you're still on the fence: grab your favorite earphones, head down to a Best Buy and ask to plug them into a Zune then an iPod and see which one sounds better to you, and which interface makes you smile more. Then you'll know which is right for you.

The Shampoo

November 14. 2011 19:15

Sorry for the huge review, but I'm really loving the new Zune, and hope this, as well as the excellent reviews some other people have written, will help you decide if it's the right choice for you.

Shampoos

November 15. 2011 17:46

Sorry for the huge review, but I'm really loving the new Zune, and hope this, as well as the excellent reviews some other people have written, will help you decide if it's the right choice for you.

Sulfate Free Shampoo

November 15. 2011 17:48

I'll gear this review to 2 types of people: current Zune owners who are considering an upgrade, and people trying to decide between a Zune and an iPod. (There are other players worth considering out there, like the Sony Walkman X, but I hope this gives you enough info to make an informed decision of the Zune vs players other than the iPod line as well.)

Sulfate Free Shampoo

November 16. 2011 02:17

I had a great time reading around this post as I read it extensively. Excellent writing! I am looking forward to hearing more from it .

campervan hire Sydney

November 16. 2011 03:55

car sales brisbane

December 15. 2011 17:18

I have read a few of the articles on this website now, and I really like style of blogging. I added it to my favorites blog page list and will be checking back soon. Please check out my site .

lofoten fishing

January 19. 2012 05:26

I was very pleased to find this web-site.I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you blog post.

about weight loss

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country

Comment*

Live preview

February 5. 2012 11:11

Developing Metrics and Measures for Information Security Risk

Related posts

Comments

Add comment

Live preview

Search

Tags

Categories

Blogroll

Disclaimer