Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

A Few Good Metrics

Mention metrics to a CIO or infosecurity executive and immediately their thoughts may well turn to sigmas, standard deviations and, probably, probability. To many, metrics equals statistics.

Information security metrics don't have to rely on heavy-duty maths to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are six smart measurements - and effective ways to present them.

Metrics have a bad rep. Mention metrics to a CIO or infosecurity executive and immediately their thoughts may well turn to sigmas, standard deviations and, probably, probability. To many, metrics equals statistics.

There's no denying that proven economic principles can - and should - be applied to information security investments. At the same time, a bumper crop of valuable metrics exist that don't require classes on Nobel Prize-winning theories or a working knowledge of the Greek alphabet. You've actually already sowed the seeds of these less dense but equally valuable metrics. They're sitting in your log files, on your network, in the brains of your business unit managers, just waiting to be harvested. You won't need computational prowess to exploit this crop's value, just some legwork and - this is key - the most effective presentation tools.

Here we discuss six such metrics, along with some ways to present them visually, as imagined by Andrew Jaquith. Jaquith is a co-founder of the consultancy @stake (which was bought in 2004 by Symantec) and a protege of infosecurity guru Dan Geer. At @stake he invented a popular analytic methodology that is used to evaluate a client's risk in its application portfolio. He's since left Symantec and joined The Yankee Group. More recently he started Securitymetrics.org, a Web site open to all security professionals for sharing, contributing and advancing the use of metrics in information security. He's also writing a book, Security Metrics, due out later this year.

Jaquith has sharp, sometimes contrarian opinions on what makes a good metric and what makes for good presentation of metrics. For example, he thinks annual loss expectancy (ALE), a tool used to measure potential losses against probability of losses occurring over time, is useless, because in infosecurity, the L and the E in ALE are wild guesses. Quoting Geer, he says: "The numbers are too poor even to lie with."

He also thinks CIOs and CISOs are too apt to dumb down visual representations of metrics for their executive counterparts, mistaking simplicity for clarity. He holds a particular grudge against the overuse of the "red, yellow, green" representation of metrics to signify high, medium and low numbers. "A CEO's favourite visualization of metrics is a stock chart, a 2.5cm square that contains a month's worth of opening and closing prices, a trend line and several other indicators. Maybe 50 or more data points right there. Don't tell me they can't handle complex data. They can, as long as it's presented well."

By no means does Jaquith (or CIO for that matter) think these five metrics are the final word on infosecurity. Quite the contrary, they're a starting point, relatively easy to ascertain and hopefully smart enough to get CIOs thinking about finding other metrics like these, out in the vast fields of data, waiting to be reaped.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: APT, Axis, Critical Systems, Exposure, Microsoft, Sharp, Symantec, Unify, Yankee Group

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Case Study: Keeping information on the move: Clearswift protects Maman, the logistics experts
    Time is money. Every minute a consignment is held up in transit costs money and causes problems. Web and email are mission critical business tools that enable Maman, and their customers, to efficiently collaborate with partners across the globe. Spam, and other web based threats can result in delays that ultimately lead to missed deadlines - keeping the lines of communication open is therefore a key priority for Maman. Read on.
    Learn more »
  • Consolidation Without Compromise
    Virtualization of computer, storage and infrastructure is enabling the transformation of enterprise datacentres into private clouds. The impact is an unprecedented ability to consolidate infrastructure without compromise: no change to service level agreements (SLAs), no loss of performance or scale, and no regression in the organisation’s overall security posture. Read on.
    Learn more »
  • IBM Tivoli Storage Manager for Virtual Environments - Advanced Data Protection for VMware ESX Environments
    Server virtualization is taking hold in companies of all sizes, and VMware is one of the more popular hypervisors adopted by IT organizations. While VMware server virtualization continues to gain momentum, IT organizations still have some hurdles to overcome if they are to deploy virtualization more widely across the enterprise. Backup and recovery of virtual server environments ranks highly as a top initiative and area of investment—a major focus for a growing population of corporate IT organizations expanding the use of virtualization to incorporate more tier-1 production applications. This paper introduces Tivoli Storage Manager for Virtual Environments (TSM for VE), IBM’s solution for optimizing backup and recovery in VMware installations.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources