Metrics drive business decisions and behavior. They influence process assessment and controls, business policies, collaboration for enterprisewide benefits, business investment decisions, and strategic and profit center alignment. With proper design and implementation, both security professionals and corporate management can develop security metrics into a readily accessible dashboard. If poorly designed, security metrics may be perceived as unnecessary and a drain to corporate profits.
After a review of existing metrics used in the industry, the Foundation study found that:
Developing a useful tool required support from the ASIS community using surveys, interviews, and expert and advisory panels. The completed design can be used to either improve and evaluate existing metrics or create new measures.
The Security Metrics Evaluation Tool (MET) is divided into three parts. The first considers the measurement principles of reliability, validity, and generalizability. A reliable metric captures data not affected by outside effects such as time or weather. Validity means that the metric measures what you want to measure. A good metric should be able to be used across the organization to measure similar events.
The second part focuses on developing a metric that supports the operational aspects of the security function. Practitioners must consider whether the data is collected in a timely enough fashion to be of practical use by the organization. The data collected must also minimize the possibility of manipulation and biased information.
Last is the strategic value. Any metric should show support for a return on investment in security and demonstrate organizational relevance. Security professionals must also clearly communicate the value of the metric to senior executives.
The complete study and Security MET will be provided this fall to ASIS members.