The following excerpt is from chapter 9, Establishing a Metrics Management System, of The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program, written by Gerald L. Kovacich and published by Butterworth-Heinemann.
Some of the most common complaints ISSOs make are that management
doesn't support them, and -— as the famous comedian Rodney Dangerfield
is known for saying -- "I get no respect." Another complaint is that the cost
and benefits of infosec cannot be measured.
As for the first two, you get support because you are being paid -- and
these days, more often than not, quite handsomely -- and you have a budget
that could have been part of corporate profits. Furthermore, respect is
earned. Besides, if you want to be popular, you are definitely in the wrong
profession.
"Why isn't it working?"
That last question often comes right after a successful denial-of-service attack or some other attacks on the corporate systems or Web sites.
Of course, many ISSOs respond by saying that it can't be measured. That
is often said out of the ISSO's ignorance of processes to measure costs or
because the ISSO is too lazy to track costs.
The more difficult question to answer is, "What are the measurable
benefits of a CIAPP and infosec functions that provide support under the
CIAPP?" Of course, one could always use the well-worn-statement, "It can
only be measured as a success or failure depending on whether or not there
have been successful attacks against our systems." The truth is that many
attacks go unnoticed, unreported by the users or IT people. Furthermore,
separating attacks from "accidents" (human error) is usually not easy;
however, metrics can help in the analyses.
What is a metric?
To begin to understand how to use metrics to support management of a
CIAPP, it is important to understand what is meant by "metrics." For our
purposes, a metric is defined as a standard of measurement using quantitative,
statistical, and/or mathematical analyses.
What is an infosec metric?
An infosec metric is the application of quantitative, statistical, and/or
mathematical analyses to measuring infosec functional trends and work-load --
in other words, tracking what each function is doing in terms of
level of effort (LOE), costs and productivity.
There are two basic ways of tracking costs and benefits. One is by
using metrics relative to the day-to-day, routine operations of each infosec
function. These metrics are called level of effort (LOE) and are the basic
functions noted in the ISSO's charter of responsibilities and accountabilities.
Examples would be daily analyses of audit trail records of a firewall;
granting users access to systems; and conducting noncompliance inquiries.
In more financial terms, these are the recurring costs.
The other way of tracking costs and benefits is through formal project
plans. In other words, if the tasks being performed are not the normal LOE
tasks, then they fall under projects. Remember that functions are never-ending,
daily work, while projects have a beginning and ending date with
a specific objective. In more financial terms, these are the nonrecurring
costs.
So, in order to efficiently and effectively develop a metrics management
program, it is important to establish that philosophy and way of doing business. Everything that an ISSO and staff do can be identified as
fitting into one of these two categories: LOE or project.
>> Read the rest of this chapter.
