What is it?
A quantifiable measurement used to help organizations evaluate performance.
Why is it important?
Metrics provide a standard for measuring the performance of governance programs and controls established to protect an organization’s assets, interests, and resources.
Why does a business professional need to know this?
Metrics help business professionals evaluate the level of performance achieved by their cybersecurity initiatives. Good metrics depend on good data and a consistent model for interpreting that data.
The foundation of good data is context, which determines the significance of a metric. For example, metrics about perimeter defenses have a different context than metrics about compliance with policies and procedures. Once the context is understood, cybersecurity specialists can identify meaningful things to measure.
Metrics can apply to anything; however, cybersecurity metrics should focus on information critical for protecting an organization: asset information, impact information, threat information, and controls information.
The effectiveness of cybersecurity metrics also depends on the model used to analyze the data. Many business disciplines use predictive models to forecast an expected outcome based on available data. Within cybersecurity, frequency distributions provide an effective model for metrics because they support observations about the effectiveness of different initiatives over time. This approach helps establish an initial benchmark that the organization can use as a reference to highlight the extent to which an initiative is successful or failing.
Example: An organization establishes a baseline with the average occurrence (mean frequency) of a successful attack = [x]. Based on risk tolerance, the stability, increase, or decrease of [x] allows the organization to measure the effectiveness of existing controls and decide what additional steps are appropriate to reduce the frequency of successful attacks.
Metrics, in and of themselves, do not prevent breaches. However, good metrics provide information to justify investment in the tools, products, and personnel needed to improve security programs. Without metrics, it is difficult for management to know where to focus resources to achieve meaningful outcomes
- (Chew 2008) NIST Performance Measurement Guide for Information Security: Chew, Elizabeth, et al. (2008). National Institute of Standards and Technology (NIST). PDF. A guide to assist in the development of metrics to measure the effectiveness of security controls.
- (Jordan 2017) The Evil of Vanity Metrics: Jordan, Chris (2017). HelpNet Security. A critique that discusses the need for technical and business metrics in determining the cost of cybersecurity threat prevention and the cost of analyzing and responding to security events.
- (Hubbard 2014) How to Measure Anything: Finding the Value of Intangibles in Business: Hubbard, Douglas W. (3rd ed. 2014). Wiley. Book. Discusses how to measure things often considered
immeasurable,including customer satisfaction, organizational flexibility, technology risk, and technology return on investment.
- (Knaflic 2015) Storytelling with Data: A Data Visualization Guide for Business Professionals: Knaflic, Cole Nussbaumer (2015). Wiley. Book. Covers the fundamentals of data visualization and how to communicate effectively with data.
- (Tenable 2018) Using Security Metrics to Drive Action: Tenable Network Security. Recommendations and best practices for communicating with business executives and board members about cybersecurity issues. Registration required.