SMotW #78: % of policies addressing viable risks

Security Metric of the Week #78: proportion of information security policies addressing genuine risks


Writing policies is easy: writing policies that are relevant is harder than it sounds, and writing policies that are readable, fully implemented and straightforward to assess for compliance is harder still.  This week's example metric is intended to highlight policies that are irrelevant or pointless, for example those that concern situations or risks that are remote (extremely unlikely) in practice.  If there is no conceivable combination of threat, vulnerability and business impact, there is little chance of an information security incident, hence a policy (or in fact any other form of control) is probably unnecessary.  

ACME rated the metric at 75% on the PRAGMATIC scale:

P
R
A
G
M
A
T
I
C
Score
65
76
91
73
83
77
70
61
78
75%

There was some interest in using the metric to identify unnecessary policies and controls that could be eliminated, simplifying ACME's Information Security Management System, cutting costs and red tape while at the same time focusing on the remaining policies and controls - the ones that actually matter. 

This is an example of a management-level metric, as opposed to those of strategic value to senior management or more operational in nature.  It's the kind of metric that ACME's Information Security Manager might generate and report periodically to the CISO while sifting systematically through the policies and controls, weeding-out any that are no longer relevant.

On the matter of policies being 'readable, fully implemented and straightforward to assess for compliance', ACME considered other metrics that would complement this one.  It might be possible to come up with one security metric that covers all policy aspects, and while senior management might prefer a single high-level metric, it would probably be based on a variety of more detailed metrics such as this one that are more useful to the CISO, ISM and others.