The initial metrics you propose are a great start. Also, compare your company's rate of laptop loss to that of the general public to see if it's something to be concerned about. For reference sake, a recent article in Fast Company revealed that approximately one laptop gets stolen every minute, and more then 12,000 go missing each year in airports alone. It's important to not only look at the raw numbers, but also at who in your organization has laptops and what sort of data they carry on those machines.
In the end, this isn't really a metrics problem per se, but rather a risk assessment/risk management problem; though the metrics will help inform your decision. That is to say, metrics tell you where the company is today and can potentially predict where it is heading, but without context, these metrics don't actually tell you if you are in bad shape. Risk assessments give that context by taking those metrics and explaining how relevant they are. For example, one metric may show that laptop thefts are up 400% this year compared to last year. That sounds really bad, but if it means that in 2008 you lost five laptops instead of 1 and the company owns 20,000, then reducing the laptop theft rate may not need to be your highest priority -- unless all five laptops belong to the CEO or other senior executives.
Similarly, just because the number of security incidents has gone down in an organization doesn't mean that it's better off, if the incidents that did occur were much worse. By implementing proper risk management guidelines, you can effectively evaluate these metrics and appropriately prioritize your resources accordingly.
There are a lot of good risk assessment/risk management frameworks out there. My personal favorite is FAIR, but others include OCTAVE, SOMAP and even an emerging ISO standard.
FAIR is my favorite, largely because it provides a simple, easy-to-use mechanism for communicating the inherent probabilistic nature of risk. However, any of the above frameworks will get you where you need to be.
Regardless of which framework you choose, you need to know where your data is and where it's going. Once you understand how the data is moving, the rest of the analysis isn't too bad.
For more information:
- Learn more about the role information security plays in fraud prevention.
- Read more about failure mode and effects analysis for process and system risk assessment.
This was first published in February 2009