124 ◾ Information Security Metrics
be prudent but from a business perspective is likely to adversely affect operational
efficiency and be perceived as an unnecessary nuisance and even contrary to the
notion of strategic alignment.
What information is needed to make this decision?
To a large extent, this will be determined by the industry sector. It is common in
manufacturing and retail to preclude any security activity that has a noticeable negative
impact on operations. In this case, the information needed by the security manager
is simple—for example, the metric can be the number of complaints from users. Any
increase in complaints mandates the requirement to make controls less restrictive.
e regulated financial sector is more balanced in