Security metric #51: rate of IT change
Security Metric of the Week #51: perceptions of rate of change in IT
"Perceptions" are opinions, hence this is a clearly a highly subjective measure. Nevertheless, it could be argued that extreme readings have some information security significance. Rapidly changing or highly dynamic IT towards the right of the U-shaped curve implies that those surveyed are distinctly uncomfortable with the pace of change. ACME may perhaps be struggling to keep up with new technology, hence it may not be on top of the information security aspects, increasing its information security risks. Conversely, slowly changing or relatively static IT on the left implies that ACME may not be investing in technology, hence it may be falling behind on information security and again may be taking risks. In the middle ground, the impression is that those surveyed are relatively comfortable with the changing IT ... but it takes a leap of faith to equate their comfort to a low level of information security risk.
The PRAGMATIC score of just 41% indicates that ACME managers were less than impressed with this potential information security metric:
P | R | A | G | M | A | T | I | C | Score |
40 | 50 | 6 | 65 | 70 | 50 | 30 | 14 | 40 | 41% |
The italicized words in the first paragraph stem from its subjectivity and the presumed cause-effect relationship between rate of change in IT and information security risk. There is no proven factual basis, no science behind the U-shaped curve. It's guesswork, which is like Kryptonite for metrics.
Meriting just 6% on the Actionability criterion drops this metric firmly into the "So what?" bucket with a resounding clang. Even if the perceived rate of change of IT was determined to be very high or very low on a survey scale, there's not a lot that could be done to address the presumed information security aspects without much more information than the metric alone provides. Low ratings in other criteria effectively seal its fate.
Having said that, the metric may have some value in relation to ACME's IT strategy and its IT investments. It might be worth reconsidering and re-scoring the metric in that context, depending on what other IT investment strategy metrics might be in use or under consideration. It would be quite straightforward to adapt the PRAGMATIC approach to that or indeed other contexts, especially if management was comfortable with the method.