How to implement security metrics

Assets are the most important pieces to an organization. Protecting them is crucial to maintain the value of these assets. But what about assigning a value to the protection measures? By means of security metrics we can measure the effectiveness our security programs, projects and operational security. Therefore metrics can assist in measuring our ROI, but also the value of security itself. Information security metrics are last, but not least, a great input for dashboards and proper reporting.

Step 1: Determine business goals

Before measuring the implementation of effectiveness of our security controls, we should determine the business goals and the related assets. We need to be sure about what are we protecting and why are we protecting it.

Step 2: Measure implementation

After it’s clear what the business goals are, we can start with initial metrics focused on the implementation rates. These metrics tell us if we implemented a control and how much it was implemented (or coverage).

Examples:

  • % of systems having anti-malware tooling installed (e.g. anti-virus)
  • % of systems part of Windows update tooling

Step 3: Measure effectiveness

The second level of security metrics consist of measuring the effectiveness of our security controls. Now we know how much a control covers our environment, but we still don’t know how effective it is. For that we need additional metrics which specifically focus on proper implementation.

Examples:

  • Number of systems which are unpatched discovered by vulnerability scanning
  • Number of passwords found on desk of employees

Step 4: Measure impact

When we determined the coverage and effectiveness of our security controls, we can determine the impact. Where possible we can even convert this into a monetary calculation.  Let’s say a system restore has a cost of X hours + X hours of lost productivity, we can determine how much we saved by lowering the amount of virus outbreaks.

Examples:

  • Reduction of system restores due to virus outbreaks.
  • Savings regarding website integrity (e.g. hack) in public exposure

Afterword

Metrics are very valuable to initiate new programs, but definitely to measure the effectiveness of existing security controls. Secondly they provide insights to security professionals and management about the impact it makes to the organization. If you want to create a security dashboard or reporting, then start with your business goals. Only then you should start with measuring the coverage, effectiveness and finally the real impact of your security controls. Without knowing why and what you measuring, numbers are not useful.