SMotW #5: Accounts per employee

Security Metric of the Week #5: ratio of number of IT system accounts (user IDs) to number of employees 


The mean number of IT system accounts or user IDs per employee is one measure of how well an organization controls the issue, maintenance and withdrawal of IDs, which in turn is an indicator of its maturity towards IT security.  

If user IDs are essentially unmanaged, they are created on a whim (implying a lack of control over the privileged IDs needed to create IDs) and seldom reviewed or removed, even when employees change jobs or leave the organization.  Over time, the number of redundant (no longer required) IDs builds up, creating further issues such as the possibility of IDs being re-used inappropriately, and difficulties reviewing and reconciling IDs to people due to the amount of junk.

If they are well managed, all user IDs have to be justified and linked to individual people performing specific roles.   Effective user ID administration processes ensure that ID creation/change requests are properly checked and formally authorized before being actioned, and periodic reviews take place to confirm that no unauthorized changes have been made.  The overall effect is greater personal accountability for the use of IT systems.

"Employee" would need to be carefully defined for the purposes of this metric - for instance, the ratio may or may not take into account temps, interns, contractors etc.  The metric's specification would also need to be clear about non-interactive/special purpose user IDs, such as those used to install or run services.  The way these aspects are specified is less important than clarity of the specification, since that affects the consistency and validity of the metric over successive periods.

P
R
A
G
M
A
T
I
C
Score
74
67
38
39
68
42
36
83
44
55%





For such an ostensibly useful metric, the PRAGMATIC score works out at a disappointing 55%, held back by the Actionable, Genuine, Accurate, Timely and Cost criteria.  The upshot is that it may be worthwhile addressing these factors specifically in order to gain the benefit of the metric, unless higher-scoring alternative metrics can be found.  [In the book we suggest security maturity metrics, for example, that score highly and hence are better ways of measing that particular aspect.]