It is essential to measure information protection processes to ensure that they are functioning as required. Metrics also enable improvement of these processes. Some metrics measure progress on processes: the number of audits performed, security systems installed, incidents reported, and the amount of unexamined data in systems. More sophisticated metrics will focus on findings from audits or the movement of the organization along a maturity model. Create a baseline (initial reading) of each metric to show progress over time.
Applicable Metrics
- Security Implementation Metrics: These general security metrics can be framed as positive value percentages:
- Percentage of enterprise computers having the most recent security patches installed
- Percentage of computers having up-to-date anti-malware software installed and running
- Percentage of new-hires who have had successful background checks
- Percentage of employees scoring more than 80% on annual security practices quiz
- Percentage of business units for which a formal risk assessment analysis has been completed
- Percentage of business processes successfully tested for disaster recovery in the event of fire, earthquake, storm, flood, explosion or other disaster
- Percentage of audit findings that have been successfully resolved
- Trends can be tracked on metrics framed as lists or statistics:
- Performance metrics of all security systems
- Background investigations and results
- Contingency planning and business continuity plan status
- Criminal incidents and investigations
- Due diligence examinations for compliance, and number of findings that need to be addressed
- Informational risk management analysis performed and number of those resulting in actionable changes
- Policy audit implications and results, such as clean desk policy checks, performed by evening-shift security officers during rounds
- Security operations, physical security, and premises protection statistics
- Number of documented, accessible security standards (a.k.a. policies)
- The motivation of relevant parties to comply with security policies can also be measured
- Business conduct and reputational risk analysis, including employee training
- Business hygiene and insider risk potential based on specific types of data such as financial, medical, trade secrets, and insider information
- Confidence and influence indicators among managers and employees as an indication of how data information security efforts and policies are perceived
Select and maintain a reasonable number of actionable metrics in appropriate categories over time to assure compliance, spot issues before they become crises, and indicate to senior management a determination to protect valuable corporate information.
- Security Awareness Metrics – Consider these general areas to select appropriate metrics:
- Risk assessment findings provide qualitative data that needs to be fed back to appropriate business units to make them more aware of their accountability.
- Risk events and profiles identify unmanaged exposures that need correction. Determine the absence or degree of measurable improvement in risk exposure or conformance to policy by conducting follow-up testing of the awareness initiative to see how well the messages got across.
- Formal feedback surveys and interviews identify the level of security awareness. Also, measure the number of employees who have successfully completed security awareness training within targeted populations.
- Incident post mortems, lessons learned, and victim interviews provide a rich source of information on gaps in security awareness. Measures may include how much vulnerability has been mitigated.
- Patching effectiveness audits involve specific machines that work with confidential and regulated information to assess the effectiveness of security patching. (An automated patching system is advised whenever possible.)
- Data Protection Metrics – Requirements will dictate which of these are pertinent to an organization:
- Criticality ranking of specific data types and information systems that, if made inoperable, would have profound impact on the enterprise.
- Annualized loss expectancy of mishaps, hacks, thefts, or disasters related to data loss, compromise, or corruption.
- Risk of specific data losses related to certain categories of regulated information, and remediation priority ranking.
- Risk mapping of data to specific business processes. Risks associated with Point of Sale devices would be included in the risk profile of the financial payment system.
- Threat assessments performed based on the likelihood of an attack against certain valuable data resources and the media through which they travel.
- Vulnerability assessments of specific parts of the business process where sensitive information could be exposed, either accidentally or intentionally.
- Security Incident Metrics
- Intrusion attempts detected and prevented
- Return on Investment for security costs using savings from prevented intrusions
- Confidential Data Proliferation: The number of copies of confidential data should be measured in order to reduce this proliferation. The more places confidential data is stored, the higher the risk of a breach.