Introduction Governance Metrics Overview Defining Security Is there a solution? SECURITY METRICS OVERVIEW Metrics and Objectives Information Security Security Why the IT metric focus Other assurance functions Stakeholders SECURITY METRICS Security Program Effectiveness Types of Metrics Information Assurance / Security Metrics Classification Monitoring vs. Metrics CURRENT STATE OF SECURITY METRICS Quantitative Measures and Metrics Performance Metrics Financial Metrics Return on Security Investment (ROSI) A new ROSI model Security Attribute Evaluation Method (SAEM) Cost-Effectiveness Analysis Fault Tree Analysis Value at Risk (VAR) ALE / SLE Other Value Metrics Limitations of existing approaches Qualitative Security Metrics Cultural Metrics Risk Management through Cultural Theory The Competing Values Framework Organizational Structure WIND STORM Hybrid Approaches Systemic Security Management Balanced Scorecard The SABSA Business Attributes Approach Quality Metrics Six Sigma ISO 9000 Quality of Service (QOSS) Maturity Level Benchmarking Standards OCTAVE METRICS DEVELOPMENTS Statistical Modeling Phase Transitions in Operational Risk Adequate Capital and Stress Testing for Operational Risks Functional correlation approach to operational risk in banking organizations Systemic Security Management Value at Risk Analysis Factor Analysis of Information Risk (FAIR) Risk Factor Analysis Probabilistic Risk Assessment (PRA) RELEVANCE Problem Inertia Correlating Metrics to Consequences THE METRICS IMPERATIVE Study of ROSI of Security Measures Resource Allocation Managing without Metrics ATTRIBUTES OF GOOD METRICS Metrics Objectives Measurement Categories How can it be measured? What is being measured? Why is it measured? Who are the recipients? What does it mean? What action is required? INFORMATION SECURITY GOVERNANCE Security Governance Outcomes Defining Security Objectives Sherwood Applied Business Security Architecture (SABSA) CobiT ISO 27001 Capability Maturity Model Metrics and Strategy Governance Metrics Strategic Alignment Risk Management Value Delivery Resource Management Performance Measurement Assurance Process Integration (convergence) METRICS DEVELOPMENT – A DIFFERENT APPROACH Activities Requiring Metrics INFORMATION SECURITY GOVERNANCE METRICS Strategic Security Governance Decisions Strategic Security Governance Decision Metrics Security Governance Management Decisions Strategic Direction Ensuring Objectives are Achieved Managing Risks Appropriately Using Resources Responsibly Security Governance Operational Decisions INFORMATION SECURITY RISK MANAGEMENT Information Security Risk Management Decisions Information Security Risk Management Metrics Criticality of assets Sensitivity of assets The nature and magnitude of impacts Vulnerabilities Threats Probability of Compromise Strategic initiatives and plans Acceptable levels of risk and impact Information Security Operational Risk Metrics Internal Fraud External Fraud Employment Practices and Workplace Safety Clients, Products & Business Practice Damage to Physical Assets Business Disruption & Systems Failures Execution, Delivery & Process Management INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS Program Development Management Metrics Program Development Operational Metrics INFORMATION SECURITY PROGRAM MANAGEMENT METRICS Security Management Decision Support Metrics CISO Responsibilities CISO Decisions Strategic alignment Case Study Risk Management Metrics for Risk Management Organizational risk tolerance Resource valuation Comprehensive risk assessment Effectiveness of mitigation efforts Assurance Process Integration Value Delivery Resource Management Performance Measurement Information Security Management Operational Decision Support Metrics IT and Information Security Management Compliance Metrics Criticality and Sensitivity Risk Exposure The state of compliance Case Study Personnel Competence Resource adequacy Metrics Reliability Procedure functionality, efficiency, and appropriateness Strategic Performance Measures Tactical Performance Measures Key Control Effectiveness Control Reliability Control Failure Management Effectiveness INCIDENT MANAGEMENT AND RESPONSE Incident Management Decision Support Metrics CONCLUSIONS APPENDIX A. METRICS CLASSIFICATIONS IA Program Developmental Metrics Support Metrics Operational Metrics Effectiveness Metrics Metrics for Strength Assessment Metrics for Features in Normal Circumstances Metrics for Features in Abnormal Circumstances Metrics for Weakness Assessment APPENDIX B. CULTURAL WORLDVIEWS Hierarchists Egalitarians Individualists Fatalists APPENDIX C. THE COMPETING VALUES FRAMEWORK Vertical: Stability/Flexibility The Competing Values map Hierarchy Market Adhocracy APPENDIX D. THE ORGANIZATION CULTURE ASSESSMENT INSTRUCTION (OCAI) APPENDIX E. SABSA BUSINESS ATTRIBUTE METRICS APPENDIX F. CAPABILITY MATURITY MODEL

CISM Brotby, W. Krag