incidents during peak times may indicate a sharp increase in security breaches
because security personnel are distracted from their primary protection duties
while escorting personnel. In this instance, the value of providing escorts must
also be considered in determining the company’s security practices.
SMART Metrics
Good metrics are attainable when security professionals strive for metrics
that are SMARTSpecific, Measurable, Actionable, Relevant, and Timely.
Specific—a metric must measure a specific variable.
Measurable—a metric measures what is measurable. Not all components
of a security program are measurable. For example, morale among
security forces is often measured” but not in a quantitative manner.
Actionable—a metric should not measure variables that cannot be acted
upon. If a security decision maker cannot remedy a problem, there is
not much sense in wasting time on that variable.
Relevant—a metric that fails to provide any information to improve the
security program should be avoided. If the metric cannot tell us where
we can improve, it is not relevant.
Timely—metrics have expiration dates. Historical data are an excellent
indicator of the future; however, the older the data, the less important
they may be. A metric system incapable of assessing the latest data is
useless.
As discussed in the introduction to security metrics, the number of attacks
against the country or the number of crimes at a location may not be the best
indicator of an effective security program. While luck does play a part in the
protection game, there are other factors that can be measured in answering the
question of how secure we are. To develop a security metrics system, security
professionals can adapt the Six Sigma methodology used to eliminate defects.
The author has successfully implemented a variation of this methodology
for use with protective forces within the federal government. The methodol-
ogy involves seven steps that may be easily modified for our use in security
metrics:
1. Define the metrics system goals.
2. Decide what metrics to generate.
3. Develop strategies for generating the metrics.
4. Establish benchmarks.
5. Develop a metrics reporting system.
6. Develop and implement an action plan.
7. Create a formal system review cycle.
6 Strategic Security Management
Going through each step in detail should enable security professionals to
adapt the methodology to their needs.
The only security is the constant practice of critical thinking.
—William Graham Sumner
Step 1: Define the metrics system goals.
Critical in today’s business environment is the need to set performance-
based goals. Setting high, yet reasonable, goals during the development of a
security metrics system is a necessary step. The goals should be well-defined
and based on the needs of the security department, though continued refine-
ment of the goals while moving through the seven steps is acceptable. Each goal
should clearly state the desired result to which all metrics collection and analy-
sis efforts are directed. An example of a metric goal within the personnel
department of a security program is, The response time metric shall clearly
communicate to supervisors the average time needed for a security officer to
patrol and secure the fifth floor office space.
Step 2: Decide what metrics to generate.
Deciding what to measure is crucial to an effective metrics system. As refer-
enced earlier in this chapter, during the five-year period covered since the Sep-
tember 11, 2001 attack and the writing of this book, the United States has
suffered no major terrorist attacks. This is obviously good news, but it is not
a true measure of our vulnerability. Thus, Step 2 is to identify the specific
security components or practices that have kept us free from terrorism. One
example of this is the number of arrests of known terrorists within U.S.
borders. Another example may be the number of attacks thwarted due to intel-
ligence efforts.
Step 3: Develop strategies for generating the metrics.
Collecting the data for metrics can be a daunting task. The security profes-
sional’s strategy for data collection should identify the source of information
and the frequency with which that raw data is collected by the source. It is not
uncommon for a security decision maker to require data from other depart-
ments. Successful identification of the sources is key to a sound metrics
program. An example can be found in crime analysis. Security decision makers
often use traffic levels at a facility to calculate the crime rate at that facility.
While the security department itself typically does not have any way to deter-
mine how many people pass through a facility in a given day, month, or year,
other departments normally do have this data. The security professional must
therefore seek out that source and ensure that the data meets the quality control
requirements of the metrics system.
Step 4: Establish benchmarks.
As we have noted, there are both industry benchmarks and internal bench-
marks from which to compare. Benchmarking may be defined as the process
Data-Driven Security 7

Get Strategic Security Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.