Knit your own security metrics

This morning on the ISO27k forum, Vurendar told us: 

"I saw your pragmatic book but I was confused on the way criteria and no’s were assigned. If you could guide will really help.  I’m doing a RBI Based compliance assessment where regulator has asked for such metrics. Help would be really appreciated."  

Here's my reply. 

For guidance on choosing which metrics to take a look at and maybe score, I recommend Lance Hayden's book "IT Security Metrics" which describes the Goal-Question-Metric approach. 

Essentially, the idea is to figure out the main Goals/objectives (such as "We must protect the most valuable information strongly"), then explore the objectives by posing related rhetorical Questions (such as "How do we know what information is the most valuable?" and "How strongly are we protecting it?"), and from there figure out what Metrics might help you answer those questions.   GQM resonates with me.  See what you think.

Doug Hubbard's book "How to Measure Anything" is a popular textbook on measurement techniques.

It's easy to come up with a bunch (dozens, hundreds, even thousands!) of possible metrics and variants.  The GQM method, or crude brainstorming, or various books and websites and methods that list metrics, or ISO/IEC 27004, or Googling, or 'asking around to find out what metrics people use or recommend', all have the same problem: how do you decide which of all the possible metrics, if any, are actually worth using?  That's the challenge we addressed in PRAGMATIC Security Metrics.    

For guidance on the PRAGMATIC method for scoring, comparing, selecting and improving metrics, please take a look at SecurityMetaMetrics.com   It's a systematic way to score and evaluate individual metrics according to the P.R.A.G.M.A.T.I.C. parameters outlined on the website and described in detail (with ~100 worked examples!) in the book. 

I work with consulting clients to:
  • Review their existing metrics and approach to measurement; 
  • Develop business-focused measurement strategies; 
  • Design measurement systems and metrics suites with a selection of worthwhile metrics; 
  • Integrate the metrics into their management information flows and governance processes; 
  • Use them systematically to drive performance.  
It's an advanced topic though, something worth doing as an ISMS matures.  The process is quite involved and tricky in parts ... but clients learn a lot about their organizations' information risk and security-related objectives, figure out what information their managers actually need, and have a much better grip on things.