Security metrics special interest group
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Security Metrics Special Interest Group PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Security Metrics Special Interest Group. Key Points Presentation. WARNING.

Download Presentation

Security Metrics Special Interest Group

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Security metrics special interest group

Security MetricsSpecial Interest Group

Key Points Presentation

Security metrics special interest group


This presentation is confidential and purely for the attention of and use by organisations that are Members of the Information Security Forum (ISF). If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected] or on +44 (0)20 7213 1745.

Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Information Security Forum and Information Security Forum Ltd accept no responsibility for any problems or incidents arising from its use.

Key findings 1 of 2

Key findings (1 of 2)

Key findings 2 of 2

Key findings (2 of 2)

About this presentation

About this presentation

  • The presentation summarises the research and conclusions from the ISF Special Interest Group (SIG) on Security Metrics.

  • The presentation can be used by Members to:

    • understand the topic, without reading the associated report

    • gain an overview of the key issues and findings of the project

    • provide material for their own presentations on this topic.

The sig project approach

The SIG project approach

  • The approach taken included:

  • Holding nine Member Work Group meetings

    • Over 120 attendees

    • Average attendee evaluation 4.3 out of 5

  • Analysing 56 Member-completed questionnaires

  • Interviewing 12 Members

    • Covered most sectors and geographical locations

  • Researching published material on security metrics

Project deliverables

Project Deliverables


SIG meeting minutes

Key point presentation

These deliverables are also available on MX2

Outline of presentation

Outline of presentation

  • Defining security metrics

  • Member usage of security metrics

  • Main issues

  • Key actions

A defining security metrics

A. Defining security metrics

What are security metrics

What are security metrics?

  • Objective, quantifiable measures against specific targets that enable an organisation to judge the effectiveness of information security in that organisation.

What are security metrics1

Security metrics should be:


Consistently measured


The information provided should:

Allow effective analysis

Enable reporting

Enhance understanding

Assist in managing information security

Demonstrate the value of information security to the business

What are security metrics?

Metrics should be: timely; reliable; trustable; accurate; simple (at a certain level); provable; meaningful and easily understandable; repeatable; verifiable; and scaleable.

Characteristics of security metrics

Characteristics of security metrics

Examples of security metrics by category

Examples of security metrics by category

B member usage of security metrics

B: Member usage of security metrics

A model for understanding security metrics

A model for understanding security metrics

Common reasons for using security metrics

Managing information security

Providing information for management reporting

Indicating compliance to legislation, regulation and standards

Showing efficiency, effectiveness and performance against objectives

Demonstrating the value of information security

Supporting risk-based approach to information security

Supplying information for risk management

Providing information about information security risks

Highlighting information security strengths and weaknesses

Benchmarking information security arrangements

Common reasons for using security metrics

We need to continuously improve and justify what we do to management.

What security metrics are currently used


Number of incidents

Number of business-critical incidents

Cost of individual incidents

Virus protection

frequency of virus incidents in a specific period

frequency of virus incidents compared to previous periods

number of viruses blocked at gateway/perimeter defences

Risk management

number of information risk analyses performed

number of high/critical information security risks identified

number of high/critical information security risks mitigated

Patch management

number of vulnerabilities recorded/patches issued (per period)

time to patch (eg estate or critical systems/applications)

percentage of systems patched, against Service Level Agreement/policy

What security metrics are currently used?

We only use the data we can get our hands on easily. That may not be the right thing to do.

What security metrics are currently used1


number of staff attending awareness training

number of inappropriate internet sites accessed Virus protection

Audit findings

number of internal audit findings

number of external audit findings (eg failure to comply with regulation)

percentage of major information security-related findings left unresolved over a stated period of time


total financial losses (eg lost sales, orders or production) caused by information security incidents

total financial value of regulatory or other fines imposed after information security incidents

total financial losses due to fraud (including legal and recovery costs)

total cost of security (cost of controls + cost of incidents)

What security metrics are currently used?

Audiences for security metrics

Audiences for security metrics

  • Most common audiences:

    • CISO

    • IT function

    • Senior Management

Metrics are a way of communicating with the board to gain backing for your projects.

Examples of presentation methods

Examples of presentation methods

C main issues

C: Main issues

Main issues with security metrics

Main issues with security metrics

Addressing the issues

Addressing the issues

  • Members agreed that the concepts of measuring security and security metrics have considerable merit.

  • The management saying “you can’t manage what you can’t measure” still holds true and many attendees agreed with this statement.

  • The issues identified here are not about security metrics in themselves but about using the right security metrics for an organisation

  • Using the right security metrics delivers benefit and improves communication with non-information security professionals (eg business people, accountants, executives and managers).

D key actions

D: Key actions

Key actions

Key actions

  • A. Define requirements

  • B. Identify relevant security metrics

  • C. Collect data required

  • D. Produce security metrics

  • E. Prepare presentations

  • F. Use dashboards and scorecards

  • G. Review the use of security metrics

Key actions1

A. Define requirements

Define and understand audience requirements

Seek input from managers and staff

Obtain funding

B.Identify relevant security metrics

Decide which security metrics to use

Review against objectives

Review the chosen security metrics for ‘balance’

Key Actions

Metrics round off the picture – but don’t forget the intangibles!

You have to understand the requirements and have objectives before you start to collect metrics. You don’t want to spend man-hours collecting useless information.

Key actions2

A. Collect data required

Define data required for use in security metrics

Collect data for use in security metrics

Collect context data

Normalise and store the data

D.Produce security metric

Perform analysis and/or aggregation of data

Analyse metrics

Test for correlation in dataset

Key Actions

Metrics must have a context – otherwise they may not be understandable.

Business isn’t always interested in numbers; trends matter too.

Key actions3

E.Prepare presentations

Match the presentation to the audience

Select presentation formats

F.Use dashboards and/or scorecards


Balanced scorecards

Key Actions

Fewer reports are required if you have a security dashboard – you can field many enquiries with a general response.

The idea of using a balanced scorecard elegantly links information security and business.

Key actions4

G. Review the use of security metrics

Review security metrics used

Review presentation format

Key Actions

Mapping the key actions with the model

Mapping the key actions with the model

Possible future development

Possible future development

Balanced scorecard based on the Meta Standard

Dashboard based on ISF products

(Survey, Healthcheck, Meta Standard)

Project contacts

Project contacts

Adrian Davis

Project Programme Manager:

Tel: +44 (0)207 213 3372

Email:[email protected]

Christopher Petch

Project Associate

Tel: +44 (0)207 212 3012

Email: [email protected]

  • Login