PRAGMATIC Security Metric of the Quarter #7
PRAGMATIC Information Security Metric of the Seventh Quarter
According to the overall PRAGMATIC scores assigned by ACME's managers, the latest metric discussed was the top choice in the three months just past, but it was a close-run thing:
| Example metric | P | R | A | G | M | A | T | I | C | Score |
| Information security incident management maturity | 90 | 95 | 70 | 80 | 90 | 85 | 90 | 85 | 90 | 86% |
| Information security ascendancy | 97 | 87 | 15 | 94 | 86 | 90 | 99 | 97 | 99 | 85% |
| Quality of system security | 83 | 88 | 83 | 73 | 90 | 68 | 80 | 82 | 10 | 73% |
| Integrity of the information asset inventory | 82 | 66 | 83 | 78 | 80 | 43 | 50 | 66 | 70 | 69% |
| Proportion of systems security-certified | 72 | 79 | 73 | 89 | 68 | 32 | 22 | 89 | 88 | 68% |
| Number of different controls | 71 | 75 | 72 | 75 | 88 | 30 | 50 | 65 | 43 | 63% |
| Controls consistency | 78 | 83 | 67 | 60 | 71 | 33 | 27 | 31 | 27 | 53% |
| Value of information assets owned by each Information Asset Owner | 48 | 64 | 78 | 57 | 79 | 38 | 50 | 22 | 26 | 51% |
| Number of information security events and incidents | 70 | 60 | 0 | 50 | 72 | 35 | 35 | 70 | 50 | 49% |
| % of business units using proven identification & authentication | 69 | 73 | 72 | 32 | 36 | 4 | 56 | 2 | 50 | 44% |
| Distance between employee and visitor parking | 1 | 0 | 6 | 93 | 2 | 93 | 66 | 45 | 66 | 41% |
| Employee turn vs account churn | 30 | 30 | 11 | 36 | 44 | 36 | 62 | 57 | 20 | 36% |
| Non-financial impacts of information security incidents | 60 | 65 | 0 | 20 | 60 | 6 | 30 | 20 | 17 | 31% |
"Maturity of the organization's information security incident management activities" seems to us to be an excellent proxy or indicator for the organization's overall approach to information security. The maturity scoring process we have described makes this a valuable metric, not just in terms of the final maturity rating but also the additional information that emerges when comparing current practices against accepted good practices.
Just as interesting are the metrics languishing at the bottom of the league table. For example, "Non-financial impacts of incidents" may appear, at first glance, to hold considerable promise as a security metric but the PRAGMATIC score clearly indicates ACME management's severe misgivings once they explored the metric in more detail.
Instead of simply selecting metrics on the basis of their the overall PRAGMATIC scores, management could instead select high-rating metrics for any one of the individual PRAGMATIC criteria, or any combination thereof - for example, 'information security ascendancy' is rated the most predictive and cost-effective security metric of this little lot.
In researching and developing the PRAGMATIC method for the book, we explored the possibility of weighting the PRAGMATIC ratings in order to place more or less emphasis on the criteria. There may be situations where that is a sensible approach but, in the end, we decided that the overall PRAGMATIC score was the most valuable and straightforward metametric.