Security Metrics

From an Information Technology (IT) perspective, one of the most important items that can be measured and monitored is security.  In the modern world of technology that humanity finds itself in, companies want to be able to provide a detailed answer to the question: how secure am I?  Without security metrics, there would be no way to take into account the amount of security necessary to protect important information.  As a direct result from security metrics, companies, as well as the general population, have seen a decrease in the number of viruses, Trojans, worms, and potential identity thefts.  But, what are security metrics and what are some of the most commonly used metrics in the area of security?  Security metrics are generally considered being, “the standard for measuring security, specifically measuring an organization’s security posture,” (Aiello, 2005).  The basic difference between a metric and a measurement, therefore, is that metrics are the interpretations (either subjective or objective) of measurements made by people (Payne, 2006).

In today’s world, we can see that the categories of security metrics can be broken into different groups that companies can look into when considering what sort of metrics to apply to measure their own security level.  These categories include platform, network, incident, vendor, people, industry, and political (Aiello, 2005).  There are three major metric types seen as well: real-time, polled, and incident-based.  Finally, a company can decide on which metric to collect based on evaluating several factors that include policy mining, risk scoring, vendor evaluations, regulator, and ‘tips’ (Aiello, 2005).  Using calculations and collection of data from the methods above, a company has the ability to monitor, track, and graph the various breaches and anomalies that can exist in its security measures.  From there, that company can take the necessary actions to take additional security measures where it finds itself the weakest, and most susceptible to outside threats.  

There are also more non-traditional ways for a company to gather information security metrics that do not rely heavily upon calculation.  Some examples of these non-calculation heavy-based metrics include baseline defenses coverage, patch latency, password strength, and email traffic analysis.  Baseline defenses coverage deals with the concept of running antivirus scans on the systems of a business as well as evaluating the state of the system's firewalls to see where they compare on the threat levels of receiving viruses or other malware.  Patch latency deals with the concept of the amount of time it takes for a company to download, install, and integrate its systems with the current patches of the systems software.  Password strength is a basic analysis of the level of complexity a system’s passwords present to gain access to systems of a company.  Email traffic analysis is a process by which a company can track and monitor the regular flow of emails through the company with the hopes of being able to flag and identify unusually sized emails or ones that are sent at a time when emails are not regularly sent.  This process, therefore, protects a company from potential threats that could spread or infiltrate through email services (Berinato, 2005).

Security metrics provide a valuable tool for security administrators.  Metrics provide “an effective tool for security managers to discern the effectiveness of various components of the security programs, the security of a specific system, product or process, and the ability of staff or departments within an organization to address security issues for which they are responsible,” (Payne, 2006).  Though many would immediately think of high-end analysis and calculations when asked about metrics, there are several effective security metrics that require minimal amounts of calculation while still providing very useful, insightful data to the security managers for a company.

References

Aiello, M. (2005). Security metrics. Information Security Management Polytechnic University , Retrieved from http://www.google.com

Berinato, S. (2005, July 01). A few good information security metrics. Data protection, Retrieved from http://www.csoonline.com/article/220462/a-few-good-information-security-metrics?page=1

Payne, S. (2006, June 19). A guide to security metrics. SANS Security Essentials, Retrieved from http://www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55