Measuring security is especially important if a company invests a lot of time and efforts in securing their organization. However measuring security is not an easy task, as there are a lot of different variables and non-tangible items.
Common items measured by companies are:
- Security events (number of)
- Effectiveness of a security program or project
- The successful pass of a security audit
- Risk Analysis and their results
- Compliancy testing
While these areas give a good insight in the efforts taken by involved security professionals and the company in general, one has to dig deeper in the meaning of each measured security metric. For example compliancy can contain hundreds of different metrics, like the percentage of systems covered with anti-malware software, the amount of critical security patches available on a system or percentage of certified security personnel. In all cases, there should be a clear understanding of why something is measured and what defines a good (or bad) value. For example one can determine that a percentage of all systems have to audited at least once a year. That might be a good metric, as long as it is clear why this has to happen and what defines a good or bad outcome. Just the fact that a system has been audited doesn’t tell that much yet. For example a “positive” result might be that it passed on minimal security requirements.
When defining a plan or project to measure information security, include the why and what of each metric. Add a minimal threshold or baseline, to determine in what areas a successful result has been achieved. Also the impact of not reaching compliancy might be stated, so management can decide if there is a clear risk which need to be addressed.