We have published a series of short information security metrics briefing papers originally delivered as part of a security awareness service aimed at management. The papers were written over several years. You may notice our thoughts on security metrics evolving with new styles of metric being introduced from time to time. Metrics is, after all, a developing field!

• Authentication metrics
• Authentication and phishing metrics
• Contingency metrics
• Database security metrics
• Email security metrics
• Information security and risk management metrics - in general.
• Information security governance metrics
• Insider threat metrics
• Integrity metrics ... which also covers the integrity of metrics (a PRAGMATIC concern!)
• IPR metrics
• IT audit metrics
• Malware metrics
• Network security metrics
• Office information security metrics
• Physical information security metrics
• Privacy metrics
• Security compliance metrics
• Social engineering metrics
• Trade secret protection metrics

The awareness briefings each describe a selection of metrics on a single topic plucked from a deliberately wide spectrum of information risk and security-related topics. In the context of the security awareness program, their purpose was to encourage managers to think about what’s really important to the organization in each topic area, ideally discussing possible metrics with the information risk and security specialists.

The enlightened reader might even apply the PRAGMATIC method to evaluate and ideally improve on them.

We‘d love to get your feedback. Which are the metrics you find most valuable in any of these topic areas, and why?

Copyright © 2021 Gary Hinson & Krag Brotby