We have published a series of short information security metrics briefing papers originally delivered as part of a security awareness service aimed at management. The papers were written over several years. You may notice our thoughts on security metrics evolving with new styles of metric being introduced from time to time. Metrics is, after all, a developing field!
The awareness briefings each describe a selection of metrics on a single topic plucked from a deliberately wide spectrum of information risk and security-related topics. In the context of the security awareness program, their purpose was to encourage managers to think about what’s really important to the organization in each topic area, ideally discussing possible metrics with the information risk and security specialists.
The enlightened reader might even apply the PRAGMATIC method to evaluate and ideally improve on them.
We‘d love to get your feedback. Which are the metrics you find most valuable in any of these topic areas, and why?