Security Metrics

Security Metrics is the companion book to the Governance Guidebook. It includes:

Together, these metrics provide comprehensive programmatic coverage of the issues that make a difference to the business, not just to a technologist.

Metrics are formed from repeatable measurements that are comparable. For example distance metrics, like yards or meters, can be measured by anyone who has access to the standard and any two things that are measured can be compared to determine which is shorter or longer. Security metrics that are useful should meet the same criteria. They should be repeatable and comparable.

Not all metrics are useful for all purposes. For example, it's very hard to relate the number of spyware elements scanned for by a spyware detector to the reduction in risk to the enterprise that uses it. In order for security metrics to be useful to the organization, they have to relate to organizational goals in terms of the organization's duty to protect. It may be easy to measure how many vulnerabilities are detected by a vulnerability scanner in a given month, but a reduction by two in the number of vulnerabilities may have almost no effect on reducing risk.

A presentation from the Computer Security Institute on what makes good and bad metrics is included here for your viewing interest. Buy it!