EUIST

As you might have expected, there is no consensus on what security metrics should be used for measuring security effectiveness and benchmarking the enteprise.

2004-04-06 The Robert Frances Group reported in CSO magazine that the companies it surveyed used these metrics to assess security effectiveness:

We can wholeheartedly agree that IT executives must ensure that the metrics they collect are useful and understandable. But when looking at the above numers, how can we link them to bottom-line and strategic issues. Put differently, to better manage the costs and resources invested in this process, top management has to understand and know how such metrics relate to their task of enterprise risk management and profitability.

While centralizing these metrics and automating their analysis can be helpful, unless these metrics help in better managing the strategic focus of the enterprise, the metrics might be of limited use.For this purpose we have developed a brief that outlines:

- CyTRAP Labs – developing effective IT security metrics(click on Login as a Guest for free access)
The above checklist is illustrated using the malware and virus infection ratios that are also used in the above Table. Applying the checklist illustrates that unless some hard-nosed decisions are being made and a careful and systematic analysis is used before a IT security metrics is approved the firm ends up with:

1) too many metrics (see above Table) that
2) help little in better managing risks and strategic objectives

Check it out, you will be surprised.

SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.

Posted in detected, effectiveness, failed, invalid, logins, metrics, spam, unauthorized |