Going through each step in detail should enable security professionals to
adapt the methodology to their needs.
The only security is the constant practice of critical thinking.
—William Graham Sumner
Step 1: Deﬁne the metrics system goals.
Critical in today’s business environment is the need to set performance-
based goals. Setting high, yet reasonable, goals during the development of a
security metrics system is a necessary step. The goals should be well-deﬁned
and based on the needs of the security department, though continued reﬁne-
ment of the goals while moving through the seven steps is acceptable. Each goal
should clearly state the desired result to which all metrics collection and analy-
sis efforts are directed. An example of a metric goal within the personnel
department of a security program is, “The response time metric shall clearly
communicate to supervisors the average time needed for a security ofﬁcer to
patrol and secure the ﬁfth ﬂoor ofﬁce space.”
Step 2: Decide what metrics to generate.
Deciding what to measure is crucial to an effective metrics system. As refer-
enced earlier in this chapter, during the ﬁve-year period covered since the Sep-
tember 11, 2001 attack and the writing of this book, the United States has
suffered no major terrorist attacks. This is obviously good news, but it is not
a true measure of our vulnerability. Thus, Step 2 is to identify the speciﬁc
security components or practices that have kept us free from terrorism. One
example of this is the number of arrests of known terrorists within U.S.
borders. Another example may be the number of attacks thwarted due to intel-
Step 3: Develop strategies for generating the metrics.
Collecting the data for metrics can be a daunting task. The security profes-
sional’s strategy for data collection should identify the source of information
and the frequency with which that raw data is collected by the source. It is not
uncommon for a security decision maker to require data from other depart-
ments. Successful identiﬁcation of the sources is key to a sound metrics
program. An example can be found in crime analysis. Security decision makers
often use trafﬁc levels at a facility to calculate the crime rate at that facility.
While the security department itself typically does not have any way to deter-
mine how many people pass through a facility in a given day, month, or year,
other departments normally do have this data. The security professional must
therefore seek out that source and ensure that the data meets the quality control
requirements of the metrics system.
Step 4: Establish benchmarks.
As we have noted, there are both industry benchmarks and internal bench-
marks from which to compare. Benchmarking may be deﬁned as the process
Data-Driven Security 7