Krag Brotby initiated an interesting discussion on Security Metrics. His comment around “plug-and-play strategic and management metrics” caught my eye. He made a good point -
Today’s security metrics continue to focus mainly on tactical technical measures that won’t answer the overarching security questions that information security, business and senior management needs to navigate with.
In my opinion, first, there is a need for “Security Risk Metrics” (not just Security Metrics). Second, there is a need for “better Security Risk Metrics” — not to “quantify” the risk but to “pictorify” the risk. Senior Managers dont have time to look at numbers, tables, and charts. Metrics should be like traffic light so that anyone could understand them without needing to explain what Red, Yellow, and Green mean. We all produce good metrics but a good question to ask is — are they risk based? and are they easy to understand?
Metrics serve only one purpose, decision support and it seems greater granularity and more relevant information is likely to be required to support effective risk and security decisions beyond what can be conveyed by a heat chart.
I agree that there must exist underlying data to support each and every heat chart. But, view depends upon who the audiences are and can be adjusted accordingly. E.g., a program sponsor will not be interested in productivity metrics of each individual resource. What he/she would want to know whether all projects were completed on time and within budget.
Krag’s new books on Security Metrics and Information Security Governance will be released next week.
