Chapter 2 Why measure information security? concerns the purposes or reasons for which metrics are required. Addressing this deceptively simple question neatly introduces a fundamental metrics concept that underpins the whole book. Essentially, before you can design or select metrics, you need to figure out why you are so concerned about something that you want or need to measure it. Digging deeper, understanding what specific aspects are of interest, and what criteria would determine whether the measurements are reassuring or worrying, goes a long way towards adopting valuable, worthwhile metrics.
Addressing our own question, information security is measured:
… to answer awkward management questions
… to improve information security, systematically
… for strategic, tactical and operational reasons
… for compliance and assurance purposes
… to fill the vacuum caused by our inability to measure security
… to support the information security manager
… for profit!
… and for various other reasons.
Read chapter 2 for more on each of these.
Picking up on the fourth reason (compliance and assurance), security metrics are not just useful within the organization. External stakeholders such as its owners, business partners, customers and the authorities have an interest in the organization’s information security status and capabilities.
Regulators, for instance, are concerned that regulated organizations comply with applicable regulations. At present, external oversight primarily involves auditing or assessing compliance with privacy laws, HIPAA, PIPEDA, ISO/IEC 27001, CIP, PCI-DSS, SSAE16 etc. The compliance certificate is a rather basic binary metric (an overall pass/fail), while the compliance requirements themselves define minimum acceptable standards in a formal way designed to facilitate compliance audits rather than instill good practice. Surely we can do better than that?
Using the PRAGMATIC approach, stakeholders can develop valuable analog or proportional security metrics. Rather than simply determining the organization’s overall compliance status, they can gain assurance regarding its strengths and weaknesses across different facets of information security. PRAGMATIC security metrics make it feasible to progress from the rigid compliance mindset to more sophisticated and flexible benchmarking and continuous improvement.