Security Metrics Special Interest Group. Key Points Presentation. WARNING.
Key Points Presentation
This presentation is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected] or on +44 (0)20 7213 1745.
Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.
This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Ltd accept no responsibility for any problems or incidents arising from its use.
SIG meeting minutes
Key point presentation
These deliverables are also available on MX2
The information provided should:
Allow effective analysis
Assist in managing information security
Demonstrate the value of information security to the businessWhat are security metrics?
Metrics should be: timely; reliable; trustable; accurate; simple (at a certain level); provable; meaningful and easily understandable; repeatable; verifiable; and scaleable.
Providing information for management reporting
Indicating compliance to legislation, regulation and standards
Showing efficiency, effectiveness and performance against objectives
Demonstrating the value of information security
Supporting risk-based approach to information security
Supplying information for risk management
Providing information about information security risks
Highlighting information security strengths and weaknesses
Benchmarking information security arrangementsCommon reasons for using security metrics
We need to continuously improve and justify what we do to management.
Number of incidents
Number of business-critical incidents
Cost of individual incidents
frequency of virus incidents in a specific period
frequency of virus incidents compared to previous periods
number of viruses blocked at gateway/perimeter defences
number of information risk analyses performed
number of high/critical information security risks identified
number of high/critical information security risks mitigated
number of vulnerabilities recorded/patches issued (per period)
time to patch (eg estate or critical systems/applications)
percentage of systems patched, against Service Level Agreement/policyWhat security metrics are currently used?
We only use the data we can get our hands on easily. That may not be the right thing to do.
number of staff attending awareness training
number of inappropriate internet sites accessed Virus protection
number of internal audit findings
number of external audit findings (eg failure to comply with regulation)
percentage of major information security-related findings left unresolved over a stated period of time
total financial losses (eg lost sales, orders or production) caused by information security incidents
total financial value of regulatory or other fines imposed after information security incidents
total financial losses due to fraud (including legal and recovery costs)
total cost of security (cost of controls + cost of incidents)What security metrics are currently used?
Metrics are a way of communicating with the board to gain backing for your projects.
Define and understand audience requirements
Seek input from managers and staff
B. Identify relevant security metrics
Decide which security metrics to use
Review against objectives
Review the chosen security metrics for ‘balance’Key Actions
Metrics round off the picture – but don’t forget the intangibles!
You have to understand the requirements and have objectives before you start to collect metrics. You don’t want to spend man-hours collecting useless information.
Define data required for use in security metrics
Collect data for use in security metrics
Collect context data
Normalise and store the data
D. Produce security metric
Perform analysis and/or aggregation of data
Test for correlation in datasetKey Actions
Metrics must have a context – otherwise they may not be understandable.
Business isn’t always interested in numbers; trends matter too.
Match the presentation to the audience
Select presentation formats
F. Use dashboards and/or scorecards
Balanced scorecardsKey Actions
Fewer reports are required if you have a security dashboard – you can field many enquiries with a general response.
The idea of using a balanced scorecard elegantly links information security and business.
Review security metrics used
Review presentation formatKey Actions
Balanced scorecard based on the Meta Standard
Dashboard based on ISF products
(Survey, Healthcheck, Meta Standard)