EUIST

Related

-Security metrics and Small- and Medium-Sized Enterprises (SMEs): Quo Vadis

Previousl we discussed how security-related risks must be categorized to get a better handle on them. We proposed a graphic framework that could be used here:

- Early Warning System (EWS) – Categorizing the risks

Here we expand upon this framework and develop a graphic overview in somewhat more detail.  Nonetheless, the starting point is the general schemata outlined above so you should look at it.

In the above story we pointed out that SMEs play a vital role in most if not all economies. Unfortunately, much of the the risk and IT security literature seems to ignore this fact. In other words, support for this type of firm is limited if non-existant for all practical purposes.

Unfortunately, employing less than 10 staff could mean that neither does security metrics get the attention it should nor are the human resources in place (i.e. security engineer) to take care of these matters.

Based on the above it seems that it is ever more important to provide checklist and tools about security metrics that can be applied easily and quickly by SMEs.

WHERE SHOULD WE START?

To start with, the framework outlined here should be used to get order in a not necessarily nicely structured problem:

- Early Warning System (EWS) – Categorizing the risks

As well, at this state it is important to reiterate that metrics are a a system of measurement. In this case, metrics are a way for measuring security, specifically measuring an organization’s security posture.

While there may be some guidelines or even standards that outline how security efforts impact upon security posture can be measured, ideally security metrics should be adjusted and tuned to fit a specific organization or situation.

Naturally, a micro enterprise with 7 employees and 1 Mio Euro turnover will require different security metrics compared to an SME with about 200 employees and possibly 40 Mio Euro turnover. Below we tried to provide you with a schemata to arrive at security risk indicators and security metrics for your enterprise.

If you cannot see the above graph, click here – CyTRAP Labs framework for security metrics that works

We started with risk examples that might be applicable in most enterprises including SMEs. In fact, the five we list are those that are considered the Minimum Essential (“Fundamental Five”) Practices published by the Corporate Information Security Working Group Report of the Best Practices and Metrics Teams (Revised January 10, 2005) Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Government Reform Committee United States House of Representatives.

From there we identified the risk causes. for instance, identity management mechanisms can be a risk and this could be caused by improper authentication, authorization and access control procedures. A risk indicator that should be watched and a metric that allows measuring the indicator is the number of user accounts that may be still active on the fifth of the coming month even though those individual left at the end of the previous month.

The above provides a simple framework and the key risk indicators used to the right of the schemata need to be adjusted according to the organizational characteristics and its environment (country, business field, etc.).

But one has to start somewhere to get a handle on these risks. Unfortunately, without writing these down and putting them on paper it is sometimes difficult to convince other stakeholders about t how critical it is for the firm’s success to get control over the information security issues identified. But we should remember that if we use more than 7 security metrics, it will become difficult to focus on the matters that are critical.

- Security metrics – what affects business continuance – focus on impact?

Instead, too many things that might be important but not critical detract us from focusing on growing the business.

See also:

- CyTRAP Labs – guide – the seven deadly sins of security metrics

- Security metrics – what affects business continuance?

SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.