By Ann Longmore-Etheridge

Metrics drive business decisions and behavior. They influence pro­cess assessment and controls, business policies, collaboration for enterprisewide benefits, business investment decisions, and strategic and profit center alignment. With proper design and implementation, both security professionals and corporate management can develop security metrics into a readily accessible dashboard. If poorly designed, security metrics may be perceived as unnecessary and a drain to corporate profits.

After a review of existing metrics used in the industry, the Foundation study found that:

  • Descriptions of existing security metrics are generally vague, making it difficult to adopt them; the focus is more on counting events rather than meaningful, risk-based metrics.
  •  Strategies for communicating metrics are general and may be hard to implement.
  •  Typically, evaluation criteria are only presented at a conceptual level within the security literature without explicit definitions.
  • Few examples of empirically sound metrics (with statistical justification and evidence) are present within the security literature.
  • The development of the Security Metrics Evaluation Tool (Security MET) would address these limitations.

Developing a useful tool required support from the ASIS community using surveys, interviews, and expert and advisory panels. The completed design can be used to either improve and evaluate existing metrics or create new measures.

The Security Metrics Evaluation Tool (MET) is divided into three parts. The first considers the measurement principles of reliability, validity, and generalizability. A reliable metric captures data not affected by outside effects such as time or weather. Validity means that the metric measures what you want to measure. A good metric should be able to be used across the organization to measure similar events.

The second part focuses on developing a metric that supports the operational aspects of the security function. Practitioners must consider whether the data is collected in a timely enough fashion to be of practical use by the organization. The data collected must also minimize the possibility of manipulation and biased information.

Last is the strategic value. Any metric should show support for a return on investment in security and demonstrate organizational relevance. Security professionals must also clearly communicate the value of the metric to senior executives.

The complete study and Security MET will be provided this fall to ASIS members.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.