Information Security Metrics
© Almerindo Graziano
Why Measure Information Security
• Improve accountability for security
• Better administer the “security” budget
• Allow to measure success/failure of investments
made
• Give a business value to security
• Assess effectiveness of implemented processes,
procedure and controls
• Standard Compliance (ISO 27001)
© Almerindo Graziano
Why Measure Information Security (2)
• Ability to isolate problems
• End up with data you can reuse :-)
• Benchmarking
• Ability to track the risk profile
• Show commitment to proactive information
security
© Almerindo Graziano
Security Metrics? What's That?
• Not shared understanding of:
• What they mean
• What we can/should measure
• How to define them
• What to do with the measurement
© Almerindo Graziano
Defining Security Metrics

Many definitions


Quantitative vs
Qualitative

Thinkers vs Feelers

Simple vs Complex

“Metrics are a system of parameters
or ways of quantitative and periodic
assessment of a process that is to be
measured, along with the procedures
to carry out such measurement and the
procedures for the interpretation of
the assessment in the light of previous
or
comparable
assessments
(Wikipedia)
“Monitor and measure
implementation effectiveness of
security controls within the context of
the security program” (NIST) © Almerindo Graziano
Lots to Measure Here!





Information Security
Management System

Technical Controls

Level of Implementation

Effectiveness/Efficiency

Impact

User compliance

etc.
Management Processes
Business Processes
Procedures
Policies
© Almerindo Graziano
Classification of Security Metrics


NIST

Implementation, Effectiveness/Efficiency, Impact

17 security control families

Time dimension
BSI (ISO 27001)

Management controls, business processes, operational
controls, technical controls, audits review and testing

11 control objectives

Implementation, Effectiveness and Performance
© Almerindo Graziano
Security Metrics for ISO 27001
© Almerindo Graziano
Developing Security Metrics I
1)Implementation
Metrics
NIS
T
2)Effectiveness and
Efficiency Metrics
3)Impact Metrics
What do we measure?

Single Controls

Multiple Controls
© Almerindo Graziano
Developing Security Metrics II


ISMS Metrics

Performance and Effectiveness

Not Implementation
BSIISO27001
Controls Metrics

Effectiveness and Implementation

Control or groups of controls
© Almerindo Graziano
What's in a Metric
© Almerindo Graziano
Conclusions...


Adopt a security metrics model (NIST/BSI)

Included definition

Support for metrics development and follow up
What to measure

Not necessarily control specific

May aggregate more than one control according to
goals

Start with high-priority controls/goals first

Linked to business objectives (Involve stakeholders)
© Almerindo Graziano
...conclusions

Types of Metrics


Implementation, effectiveness, efficiency and
impact
Implementation

May be phased according to system's maturity

Remember data may not be available

Start from processes that are stable and from which
data can be realistically obtained
© Almerindo Graziano
References

NIST-SP 800-80 Guide for Developing Performance
Metrics for Information Security (2006)


NIST SP 800-55 Security Metrics Guide for Information
Technology Systems (2003)


Security Metrics Programme, sample IT security metrics
Humphreys T, Plate A 2006. Measuring the effectiveness
of your ISMS implementations based on ISO/IEC 27001.
British Standards Institution.


Metrics templates and examples
PDCA model, sample metrics
Security Metrics portal
 http://teaching.shu.ac.uk/aces/ag/securitymetrics/
© Almerindo Graziano