SMotW #42: Consequences of noncompliance
Security Metric of the Week #42: Historic consequences of noncompliance
The title or name of this metric is not exactly crystal clear. We presume it involves totting-up the fines/penalties resulting from noncompliance to (information security relevant) legal, regulatory and contractual obligations.
Knowing how much security noncompliance is costing the organization might conceivably help management determine whether sufficient resources are being applied to compliance activities ... but the metric has a few issues.
It is historical, for starters, and we're not certain that projected trends would be meaningful in this context. Noncompliance incidents tend to occur sporadically or in clusters (since investigating one incident may dig up others) rather than regularly and predictably.
The Time taken to identify/calculate and sum compliance costs is another concern
Fines and penalties are not the only costs of noncompliance. Bad publicity resulting from enforcement notices can cause brand damage, but how much is anyone's guess. It
Running the metric through the PRAGMATIC process resulted in a score of 68%:
| P | R | A | G | M | A | T | I | C | Score |
| 70 | 80 | 72 | 82 | 80 | 80 | 20 | 67 | 65 | 68% |
As compliance metrics go, this is not one of the best.