O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

411
Appendix F: Prototype
Metrics Catalog
e following table lists the information security metrics described individually in
Chapter 7. We refer to it as a prototype metrics catalog for two important reasons: (1)
the information shown here, even considering the additional text from Chapter 7, is
minimal. In reality, a metrics catalog actually used by an organization would gener-
ally include a variety of extra data fields not shown here (e.g., nominal owners and
audiences for all the metrics being used, information on data sources and methods
of analysis and presentation/reporting), depending on what the organization finds
useful; and (2) 154 metrics falls well short of the total number of information secu-
rity metrics that would normally be considered and doesnt even account for all of
the metrics mentioned in the book (many of which are merely implied). As noted
in the main text, it is generally easy to generate a whole family of related metrics
through minor changes to the wording or nature of any one: such variants could be
listed as a group or separately, but either way, there is a real prospect of scattering
near-duplicate metrics throughout the catalog unless it is so well structured that
they all magically cluster together.
412 ◾  Appendix F
Rank
Reference
Example Metric
Strategic,
Managerial or
Operational
PRAGMATIC Ratings (%)
Predictive
Relevant
Actionable
Genuine
Meaningful
Accurate
Timely
Independent
Cost
Score
1 6.1 Quality of security metrics in use
S M 96 91 99 92 88 94 89 79 95 91%
2 7.1 Number of orphaned information
assets without an owner
M 85 90 97 90 90 95 85 99 90 91%
3 11.1 Rate of messages received at central
access logging/alerting system
O 87 88 94 93 93 94 97 89 79 90%
4 14.1 Coverage of business impact analyses
S M 95 90 99 90 95 80 86 80 88 89%
5 6.2 Percentage of security controls that
may fail silently
S M O 90 90 90 90 90 93 86 93 80 89%
6 5.1 Number of security policies,
standards, procedures, and metrics
with committed owners
M 81 87 90 95 92 92 77 92 90 88%
7 9.1 Power consumed by the computer
suite versus air conditioning capacity
O 81 69 89 92 80 99 98 90 98 88%
8 6.3 Security governance maturity
S M 95 97 70 78 91 89 90 85 90 87%
9 14.2 Business continuity management
maturity
S M 90 95 70 80 90 85 90 87 90 86%
Appendix F ◾  413
10 10.1 IT security maturity
S M 90 95 70 80 90 85 90 85 90 86%
11 12.1 Software security maturity
S M 90 95 70 80 90 85 90 85 90 86%
12 13.1 Information security incident
management maturity
S M 90 95 70 80 90 85 90 85 90 86%
13 15.1 Information security compliance
management maturity
S M 90 95 70 80 90 85 90 85 90 86%
14 7.2 Information asset management
maturity
S M 90 95 70 80 90 85 90 85 90 86%
15 8.1 Human resources security maturity
S M 90 95 70 80 90 85 90 85 90 86%
16 9.2 Physical and environmental security
maturity
S M 90 95 70 80 90 85 90 85 90 86%
17 4.1 Security risk management maturity
S M 92 98 68 78 90 83 89 84 92 86%
18 15.2 Breakdown of exceptions and
exemptions
M 87 83 84 94 81 83 84 87 88 86%
19 11.2 Information access control maturity
S M 90 95 70 80 90 80 90 85 90 86%
20 4.2 Number of high/medium/low risks
currently untreated/unresolved
S M O 87 87 84 81 89 80 87 83 90 85%
21 14.3 Percentage of critical business
processes having adequate business
continuity arrangements
M 85 97 93 84 89 75 85 85 75 85%
(continued )

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required