Manage Learn to apply best practices and optimize your operations.

Establishing a Metrics Management System

This chapter is designed to provide basic guidance necessary for the development of a metrics methodology to understand what, why, when and how infosec can be measured.

The following excerpt is from chapter 9, Establishing a Metrics Management System, of The Information Systems Security...

Officer's Guide: Establishing and Managing an Information Protection Program, written by Gerald L. Kovacich and published by Butterworth-Heinemann.

Some of the most common complaints ISSOs make are that management doesn't support them, and -— as the famous comedian Rodney Dangerfield is known for saying -- "I get no respect." Another complaint is that the cost and benefits of infosec cannot be measured.

As for the first two, you get support because you are being paid -- and these days, more often than not, quite handsomely -- and you have a budget that could have been part of corporate profits. Furthermore, respect is earned. Besides, if you want to be popular, you are definitely in the wrong profession.

One often hears management ask:

  • "What is all this security costing me?"
  • "Is it working?"
  • "Can it be done at less cost?"
  • "Why isn't it working?"

    That last question often comes right after a successful denial-of-service attack or some other attacks on the corporate systems or Web sites. Of course, many ISSOs respond by saying that it can't be measured. That is often said out of the ISSO's ignorance of processes to measure costs or because the ISSO is too lazy to track costs.

    The more difficult question to answer is, "What are the measurable benefits of a CIAPP and infosec functions that provide support under the CIAPP?" Of course, one could always use the well-worn-statement, "It can only be measured as a success or failure depending on whether or not there have been successful attacks against our systems." The truth is that many attacks go unnoticed, unreported by the users or IT people. Furthermore, separating attacks from "accidents" (human error) is usually not easy; however, metrics can help in the analyses.

    What is a metric?

    To begin to understand how to use metrics to support management of a CIAPP, it is important to understand what is meant by "metrics." For our purposes, a metric is defined as a standard of measurement using quantitative, statistical, and/or mathematical analyses.

    What is an infosec metric?

    An infosec metric is the application of quantitative, statistical, and/or mathematical analyses to measuring infosec functional trends and work-load -- in other words, tracking what each function is doing in terms of level of effort (LOE), costs and productivity.

    There are two basic ways of tracking costs and benefits. One is by using metrics relative to the day-to-day, routine operations of each infosec function. These metrics are called level of effort (LOE) and are the basic functions noted in the ISSO's charter of responsibilities and accountabilities. Examples would be daily analyses of audit trail records of a firewall; granting users access to systems; and conducting noncompliance inquiries. In more financial terms, these are the recurring costs.

    The other way of tracking costs and benefits is through formal project plans. In other words, if the tasks being performed are not the normal LOE tasks, then they fall under projects. Remember that functions are never-ending, daily work, while projects have a beginning and ending date with a specific objective. In more financial terms, these are the nonrecurring costs.

    So, in order to efficiently and effectively develop a metrics management program, it is important to establish that philosophy and way of doing business. Everything that an ISSO and staff do can be identified as fitting into one of these two categories: LOE or project.

    >> Read the rest of this chapter.

    >> Learn more about metrics management in the on-demand webcast with Gerald L. Kovacich, How to measure costs and successes of infosec.

    Special Offer From the Publisher

    Through this special offer, TechTarget members only can get Dr. Gerald Kovacich's best-selling, industry leading title The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program for just $33.50, 30% of the retail price. This valuable guide presents a straight-forward business approach to the topics needed for the infosec professional. Covering a broad range of topics, beginning with defining the position of the information systems security officer (ISSO), to establishing and managing an infosec program, the author writes from 20 years of research and experience. To take advantage of this special offer visit and enter 74434 in the Offer Code field or call Customer Service at 800-545-2522 and give them offer code 74434 to get your special price.

  • This was last published in June 2003

    Dig Deeper on Information security certifications, training and jobs