Are you measuring your security right?
Updated: Jun 30, 2019
Measurements: A raw measurement (example: count of security incidents).
Metric: A calculated figure (percentage, total, maximum, minimum, average, mean, standard deviation, etc.) derived from the measurement (example: percentage of incidents resolved).
Key Performance Indicator (KPI): Is a measurement or a metric that indicates effectiveness or efficiency in achieving the intended outcomes (example: percentage of incidents resolved within the agreed service levels).
Key Risk Indicators (KRI): Is a measurement or a metric that is used as a leading indicator of risks. (example: number of vulnerabilities exposed to internet (Note: higher the vulnerabilities, higher the number of security incidents).
How do you measure the financial performance of the security investments made? Some of the key parameters for the business potentially are the financial measures.
Total business assets under protection: This parameters including (but not limited to) information assets, information processing equipment and facilities. One asset that may not be expressed in financial measures is the reputation of the organization.
Investments made in to security (both as capex and opex): This is the amount of money invested to protect the business assets mentioned above.
Losses incurred: This is the total losses resulted from information security breaches, regulatory penalties, loss of customer base due to security lapses, etc.
The inter-relationships with the above three parameters are often not lenier. However, some balance need to be sought between the above three inorder to find the right balance between acceptable levels of loss, security investments done and the value under protection.
KPIs for Management System
The core purpose of the management system is to establish, implement, operate and maintain an information security posture of the organization. Every management system will have its own objectives as defined within the ISMS framework. Measuring the objectives are necessary to understand whether your ISMS is achieving its objectives. Some examples of key measurements for ISMS are:
Risk Acceptance Rate: This could be a good measure of organization's risk appetite or an indication that too many risks are accepted which may be due to some inefficiencies in the risk management process.
Exception To Policies: This is a good measure of identifying policies that are impractical, or organization's operational practices doesn't align to the policies.
KRIs for Security Operations
Most of the measurements that are performed during the operations phase is a leading indication of a potential breach in the future. The metrics and measurements in itself are not necessarily an indication of an issue. Some of the examples are:
Vulnerable Systems: This measurement or metric in itself is not a security incident, rather an indication of risk of an impending security breath due to the higher degree of vulnerabilities in the environment.
Unmanaged Privileged Accounts: Is a measure of privileged accounts that could be compromised within the environment due to password exposure from open sharing of the password, or passwords which could be open to a dictionary attack.
KPIs for Cyber Security
Cyber security incidents (or rather information security incidents originating from internet vectors) are one of the key incidents resulting data loss, reputation damages, server take over for crypto-mining activities and other wide variety of negative impacts. It is important to measure such incidents in order to prioritise the implementation of identified root causes. Some examples of the cyber security incidents are:
Malicious Code: A higher niher number of malicious code related events are an indication of malware prevention controls not being effective. It is important to identify all the attack vectors and prioritise them in the order of highest contributing factors, and resolve the most significant reasons to bring the situation under control.
Web-site defacement: A attacker being able to deface your web-site is an indication of poor coding practices and security vulnerabilities within the web-page source codes. This may receive some help with application firewalls, yet the potential of recurrence of such incidents remains as long as the source code continues to be vulnerable.
Bring it all together
The security reporting needs to be comprehensive, including a go-to-green plan, which ties all the security reporting components discussed above together. The go-to-green plan should provide an overview of information security implementation within the organization in a simplified format for the management to consume. At the end of the day, the report is a communication tool to the upper management. It is important to include what matters the most. A sample dashboard overview from the go-to-green plan is below: