A Few Good Metrics

A Few Good Metrics

Mention metrics to a CIO or infosecurity executive and immediately their thoughts may well turn to sigmas, standard deviations and, probably, probability. To many, metrics equals statistics.

SIDEBAR: A Good Metric Must:

  • 1. BE CONSISTENTLY MEASURED. The criteria must be objective and repeatable.
  • 2. BE CHEAP TO GATHER. Using automated tools (such as scanning software or password crackers) helps.
  • 3. CONTAIN UNITS OF MEASURE. Time, dollars or some numerical scale should be included - not just, say, "green", "yellow" or "red" risks.
  • 4. BE EXPRESSED AS A NUMBER. Give the results as a percentage, ratio or some other kind of actual measurement. Don't give subjective opinions such as "low risk" or "high priority."

Source: Andrew Jaquith

SIDEBAR: A Good Visualization of Metrics Will:

  • 1. NOT BE OVERSIMPLIFIED. Executives can handle complex data if it's presented clearly.
  • 2. AT THE SAME TIME, NOT BE ORNATE. Gratuitous pictures, 3-D bars, florid design and noise around the data diminish effectiveness.
  • 3. USE A CONSISTENT SCALE. Switching scales within a single graphic presentation makes it confusing or suggests you're trying to bend the facts.
  • 4. INCLUDE A COMPARISON TO A BENCHMARK, WHERE APPLICABLE. "You are here" or "The industry is here" is often a simple but informative comparative element to add.

Source: Andrew Jaquith

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about APTAxisCritical SystemsExposureMicrosoftSharpSymantecUnifyYankee Group

Show Comments