Information Security Management Metrics ◾ 139
Let’s consider how the required information may be acquired for each of these
elements.
Criticality and Sensitivity
e level of compliance that may be satisfactory from a purely risk-based view will
hinge on the level of criticality and/or sensitivity of the procedural activity under
consideration. For procedures that are not critical or sensitive, a low level of pro-
cedural compliance may pose little risk. A broader issue may be the difficulty in
structurally, operationally, and culturally mandating and enforcing vastly differ-
ent levels of compliance. One risk is that personnel in the habit of cutting corners
while performing some procedures are likely to do so in others as well.
For activitie ...