Metrics are the key to measuring security. These frameworks will help you gather data and calculate the answers you need.
Here's a formula most security pros will recognize:
Risk = Threat x Vulnerability x Expected Loss
It's useful for expressing the necessity and purpose of security. It's also equally difficult to quantify with meaningful numbers.
How do you numerically express a threat? What is the cost of a vulnerability? How do you calculate expected loss? And, when you multiply these three variables, how do you denote risk in a way that can be translated into an action item?
Security metrics--the measure of security policies, processes and products--is the much-sought-after solution to this conundrum. Security managers look for a magic formula that calculates risk and effectiveness in reducing risk, but the reality is that security metrics aren't that simple.
Measuring security is about using common sense. Managers need to determine what to measure, organize the variables in a way that makes them manageable and meaningful, and build repeatable formulas that show the snapshot status of security and how it changes over time.
We'll define some of the underlying elements required for security metrics and how security managers can use them to quantify different portions of their security programs. We can't provide all the answers, but we'll provide you with a better understanding of the complexity of security
Calculating Asset Value
Enterprises routinely place values on all information assets (hardware, software and data) that are reflected in IT spending. Enterprises expect every hardware and software installation to return an amount that's at least equal to its total cost of ownership (TCO) over its life expectancy.
If we accept that premise, we can assume that the minimum value of all computing assets is the amount of IT spending for a year (salaries, operations and maintenance) plus the depreciation or amortization value of the assets (hardware and software). An ERP system with a TCO of $20 million must return at least that much over its lifespan.
But such calculations need context. That's why we assign quantifiable values to information assets for objective evaluation and comparison. The following are some ways to classify your information assets' value:
Productivity Value. An asset's worth is at least as much as the costs of implementing, maintaining and using it. For a single PC, the minimum information asset value is the cost of the PC plus software, a percentage of IT overhead costs (e.g., help desk) and the user's time (salary). As you'll see later, productivity value is essential for calculating other security metrics.
Revenue Value. For some assets, worth is measured in the value of transactions. If your e-commerce Web server processes $1 million in transactions a day, it's worth $365 million annually.
Revenue value isn't always clear-cut. Supply-chain systems, such as manufacturing equipment and control systems, don't generate revenue, but your revenue generators are useless without their productivity. Their value is often calculated by measuring how much revenue would be lost if those systems were unavailable.
What isn't as easy to calculate is the revenue value of a pure information asset, such as software, music, movies and electronic documents, that can be perfectly replicated. The assets' values are usually much higher than their assigned prices, since they're sold many times over. The value of an "information asset for sale" can be estimated using historical data and/or revenue trend information.
Liquid Financial Assets Value. Those much-vaunted "assets under management" figures associated with financial institutions provide a straightforward way to assess their value. If $1 billion is under management, that amount, plus the productivity value, provides the total value that's being protected. Add to that the revenue values of transaction assets, and you've got the total value of information assets that require protection.
Intellectual Property Value. This is the most difficult asset to value. It's usually seen as "the reason" a company is in business. There are books with elaborate formulas to calculate intellectual property value; however, it may be easiest to consider intellectual property's contribution to a company's market capitalization. This value can be calculated by multiplying the amount of intellectual property captured on systems with the difference between market capitalization and book value.
This was first published in February 2005