In Chapter 10, we shared an operational security-metrics maturity model. The model started with sparse data analytics. That really is the main theme of this book: “how to measure and then decide on what to invest in when you have a lot of uncertainty caused by limited empirical data.” Chapters 8 and 9 represent the main modeling techniques used in sparse data analytics. The goal is to make the best decision given the circumstances. And as you may recall, a decision is an “irrevocable allocation of resources.” In short, you know you’ve made a decision when you have written a check. Is measurement all over once you have made an investment? Certainly not!

What do you measure once you have made a decision (i.e., an investment)? You determine if your investment is meeting the performance goals you have set for it. For the security professional this is the realm of operational security metrics. Once you have made a security investment, you need to measure how well that investment is doing against certain targets. That target is often considered a KPI.

Assuming you have made a serious outlay of cash, this would warrant some form of continuous “automated” measurement for optimization purposes. Likely you may have made a number of investments that work together to affect one or more key risks. When it comes to integrating data sources for the purpose of measuring historical performance, we are now talking security metrics ...