In my last blog post I claimed that I have not seen a good security metrics system working so far and asked whether it is a failure.
On different channels I got some reactions, which I would like to share here.
One claim is that â€“ as risk management is at the heart of security â€“ measuring risks and the efficiency of risk management would give the best indicator whether we do our job. Definitely a good approach, I looked at as well in the past. However, measuring the efficiency of the risk management system is not that simple. What are good indicators? Does an overall reduction of some estimated metrics (impact/probability) make sense? Would it not just be about how to manipulate the system? Is a stable list of the top risks an indication that we know them or that we are complacent? Could we measure how many incidents we have without having a risk on our list as this would show how complete we are? It definitely could and should be part of the metrics system.
A simple one is â€“ if the business is successful we are successful. This is another important indicator but it could show that we were just lucky in the security organization that we were not hit, yet.
Finally I got two links which I would like to share with you:
- Aleksandra Sowa shared here presentation on the Exposure Index. Something worth a try in my opinion. My question is always how far this is vulnerable to garbage in/garbage out but it is an interesting approach.
- Jason Hutches shared a paper called Pervasive Readiness: Pipedream or Possible? â€“ It covers more preparedness for disasters but has a few very interesting approaches how to measure over- and under-preparedness of an organization for an incident. I think that it is worth looking at from a security perspective and from a resilience angle as well. I guess that there is quite some potential for the information/physical security.
Thank you all for your feedback and comments