78 ◾ Information Security Metrics
It may be fairly reliable. ◾
It will typically not be accurate. ◾
It may be timely. ◾
It is not very predictive. ◾
In fairness, applying this set of criteria to most current security metrics will yield
a similar result. It may be useful to apply a scalar quantity to these metrics evalu-
ations to achieve a relative score that can be used to rank metrics usefulness for
security management.
For example, we could use a 1 to 10 scale, with 10 being the highest.
Example 1
Vulnerability scans in terms of usefulness for information security
management might be
Manageable 10
Meaningful 3
Actionable 2
Unambiguous 2
Reliable 8
Accurate 6
Timely 10
Predictive 2
resulting in a total score of 44 out of a possible 80.
ese ...