Send your promotional news to: firstname.lastname@example.org
Metrics are tools that are designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. This paper provides. In this paper, an overview of the security metrics and its definition, needs, attributes, advantages, measures, types, issues/aspects and also classifies the security metrics and explains its relationship with risk management.
Understanding the different metrics available for information security starts with a recall of what a metric is. The Oxford online dictionary defines metric as a system or standard of measurement. And it defines measurement as the action of measuring something, the action of ascertaining the size, amount, or degree of (something) by using an instrument or device marked in standard units. Metrics and measurement are intimately linked. Although they are often used one in place of the other, they are different. In the rest of this paper, the option has been made to use them interchangeably, in adoption of a posture similar to the one of Applied Computer Security Associates (ACSA).
Metric is usually presented as an abstract, a subjective attribute, while a measure is a concrete, objective attribute. Measurement results from an observation, using some appropriate method to collect data and metric represents the observed data in kind of scale. After making observations to realize measurements, analysis is performed to generate metrics.
Metrics can be an effective tool for security managers to discern the effectiveness of various components of their security programs, the security of a specific system, product or process, and the ability of staff or departments within an organization to address security issues for which they are responsible. Metrics can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions. Additionally, they may be used to raise the level of security awareness within the organization. Finally, with knowledge gained through metrics, security managers can better answer hard questions from their executives and others.
Security metrics can be considered as a standard (or system) used for quantitatively measuring an organization's security posture. Security metrics are essential to comprehensive network security and CSA management. Without good metrics, analysts cannot answer many security related questions. Measuring information security is difficult. Effective measurement and reporting are required in order to demonstrate compliance, improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner.
We would thus recommend that metrics must be designed using a participatory design process involving the affected security professionals of the organization. Moreover, using a method where the availability of data is prioritized higher than the completeness of the metrics is recommended in order to test and improve the maturity of the information security program.
Rana Khudhair Abbas Ahmed, Alrafidain University College, Iraq, Baghdad.