March 4, 2006
The following provides information on techniques for aggregating, refining, and reporting security metrics. Fair game for this page includes technologies for gathering and transforming raw data, generating reports, and creating security dashboards.
Security Metrics Guide for Information Technology Systems, Swanson M, Bartol N, Sabato J, Hash J, & Graffo L, Security Metrics Guide for Information Technology Systems, NIST Special Publication 800-55 (Washington, DC: National Institutes of Standards and Technology, 2003), 99 pp, PDF.
This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
Implementing a Network Security Metrics Program, Lowans PW, Global Information Assurance Certification Thesis, March 2004, 10pp, MS Word.
You need to measure something before you can manage it. Metrics are the only way you can measure the quality of your network and its security. It is the only way you can tell if the improvements to your security are working. You need to be able to report this quality to your management and they mainly understand numbers, percentages, graphs and charts. They need to know the threats to their network and the amount risk in not taking action to correct them. Metrics can help you quantify this information. This paper will provide you with information on how to implement a security metrics program that is based in part on the already extensive amount of information on software metric programs
Metrics: You Are What You Measure!, Hauser JR & Katz GM, European Management Journal, October 1998, 28pp, PDF.
This paper focuses on the selection of good metrics. There is no magic bullet. Many metrics seem right and are easy to measure, but have subtle, counter-productive consequences. Other metrics are more difficult to measure, but focus the enterprise on those decisions and actions that are critical to success. We suggest how to identify metrics that achieve balance in these effects and enhance long-term profitability. To gain an understanding of the properties of good metrics we begin with a summary of how metrics fail. These seven pitfalls provide examples of where metrics have produced counter-productive results. We then suggest a seven step system to design effective, “lean” metrics.
The Goal: A Process of Ongoing Improvement, Eliyahu Goldratt and Jeff Cox, North River Press, copyright 1984, 3rd edition, 2004, 386 pp, paperback.
This “business novel” launched a thousand careers in process improvement through metrics. It focuses on critical thinking skills and especially on defining the right questions to answer. A solid foundation for practical efforts at metrics.
A Guide to Security Metrics, Payne SC, SANS Security Essentials GSEC Practical Assignment Version 1.2e, July 11, 2001, 7 pp, PDF.
Security managers will, more than ever before, be held accountable for demonstrating the effectiveness of their security programs and the value of those programs to the organization. Some experts believe that a key aspect of this accountability will be security metrics. This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.
Metrics of Network Integrity, Soo Hoo KJ, Sygate Technologies White Paper, July 2004, 6 pp, PDF.
This paper demonstrates the metrics development process by defining a goal of network integrity and building specific metrics to support the decisions of each principal security constituent.