52 ◾ PRAGMATIC Security Metrics
are because they are the customers, consumers, or users of the measurement data,
stakeholders in the information security measurement system, and as such, they have
requirements that, in due course, the system will ultimately be designed to satisfy.*
e mind map/diagram (Figure 4.1) outlines ﬁve distinct audience groups.
Notice that the audiences shown at the top and bottom of the diagram are
external to the organization, whereas the management and operations functions
shown in the middle are within it. We will talk about the insiders ﬁrst.
4.1 Metrics Audiences Within the Organization
A great place to start the job of specifying information security metrics is to ﬁgure
out who does what in relation to information security within the organization.
the stage, clarifying what management information will be needed to support key deci-
sions. Unfortunately, security-related roles and responsibilities are not always entirely
obvious—they are not usually fully and explicitly documented in job descriptions and
don’t necessarily reﬂect the formal organizational chart. It may therefore be prudent, as
part of the process of implementing information security metrics, to remedy this issue
by mapping out roles and responsibilities, delineating as unambiguously as possible who
is supposed to be “doing security.” Clarifying the accountabilities for the protection of
information assets, generally through the nomination of information asset owners, is
We will be exploring measurement systems in some depth in Chapter 8. It’s an important con-
cept, but, for now, let’s simply assume that we are trying to select security metrics individually
without much regard to the bigger picture.
We are, of course, blithely assuming that someone accepts responsibility to do the ﬁnding out!
Are you reading this book simply out of a genuine interest in the topic, or have you been asked
to sort out the security metrics? Either way, good luck!
For strategic purposes,
governance, and assurance
For operational reasons, e.g., to
conﬁgure and manage security controls
For information security
management and process
Regulators and authorities–for
reassurance and compliance
For benchmarking comparison
and sharing good practices
Customers, local communities, and
society at large–for reassurance
Figure 4.1 Key audiences for information security metrics.