IT Security Metrics

Implementation of IT security metrics enables the organizational management to analyze the IT systems technical, operational, and management controls performance.

Metrics Development and Implementation

With Strategy2Act software we designed an IT Security Metrics.

Also, available for free download:

Sample Scorecard Reports: Scorecard report, Strategy Tree report, Full Report, Report for PDA.
Strategy2Act file.

Performance metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. IT security metrics are based on IT security performance goals and objectives, which state the desired results of a system security program implementation and identify practices defined by security policies and procedures. Overall, IT security metrics monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.

The requirement to measure IT security performance is driven by regulatory, financial, and organizational reasons. A number of existing laws, rules, and regulations cite IT security performance measurement as a requirement. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports. Besides, the process of data collection and reporting will enable the management to pinpoint specific technical, operational, or management controls that are not being implemented or are implemented incorrectly. Using the results of the metrics analysis, program managers and system owners can isolate problems, use collected data to justify investment requests, and then target investments specifically to the areas in need of improvement.

The metrics that are ultimately selected for implementation will be useful not only for measuring performance, identifying causes of unsatisfactory measurements, and pinpointing improvement areas, but also for facilitating continuous policy implementation, effecting security policy changes, and redefining goals and objectives. Once the measurement of security control implementation commences, subsequent measurements can be used to identify performance trends and ascertain whether the rate of implementation is appropriate. A specific frequency of each metric collection will depend on the life cycle of a measured event. For instance, a metric that pertains to crackable passwords should be collected at least monthly.

IT security metrics implementation consists of five stages:

IT security metrics identification, definition, and development;
Metrics data collection and results analysis;
Remediation actions identification;
Evaluation of necessary resources;
Technical, administrative and operational remediation activities.

Identification of IT Security Metrics

During metrics development, goals and objectives from federal, internal, and external guidance, legislation, and regulations are identified and prioritized to ensure that the measurable aspects of security performance correspond to operational priorities of the organization. Security metrics must use the data that is readily obtainable, and yield quantifiable information (percentages, averages, and numbers).

National Institute of Standards and Technology published a report which identified 17 IT security topics affecting the security posture of an organization (http://csrc.nist.gov/). These topics range from risk management and security controls assessment to personnel security, training and awareness to incident response capability and audit trails.

Risk Management measurements quantify the number of conducted system risk assessments and the degree of managerial involvement in the risk assessments procedures. Security Plan metrics quantify the percentage of systems with approved system security plans and the percentage of current system security plans. Security Controls metrics determine the efficiency of closing significant system weaknesses by evaluating the existence, the timeliness and effectiveness of a process for implementing corrective actions.
Personnel Security metrics quantify the percentage of users with special access to systems who have undergone background evaluations. Security Awareness metrics concern with the percentage of employees with significant security responsibilities who have received specialized training.
Data Integrity metrics quantify the percentage of systems with automatic virus definition updates and automatic virus scanning and the percentage of systems that perform password policy verification. Logical Access Controls metrics concern with the number of users with access to security software that are not security administrators. To ensure that personnel with access to security software have the appropriate skill sets and have undergone appropriate screening, no person should be allowed such access unless they are is designated as a security administrator. These metrics also include the percentage of systems running restricted protocols and the percentage of websites with a posted privacy policy (if an organization runs websites with public access).
Contingency Planning measurements include the percentage level of critical data files and operations with an established backup frequency as well as the percentage of systems that have a contingency plan. Incident Response Capability metrics quantify the percentage of agency components with incident handling and response capability and the number of incidents reported to FedCIRC, NIPC, and local law enforcement.
System Development Life Cycle metrics quantify the percentage of systems that are in compliance with the OMB requirement for integrating security costs into the system life cycle. Audit Trails metrics quantify the percentage of systems on which audit trails provide a trace of user actions.

The IT security metrics also include Authentication, Authorize Processing, Physical and Environmental Protection, Hardware and Systems Software Maintenance, Input/Output Controls and Documentation measurements.

After applicable metrics are identified and described, the appropriate performance targets should be identified. Performance targets establish a goal by which success is measured. The degree of success is based on the metric result’s proximity to the stated performance target.

Strategy2Act reports

Let me give some clarification about all mentioned reports, metrics and Strategy2Act software.

1) In this article we have described the most popular and useful IT security metrics. There are many ways of how to use them. What we suggest are Security Metrics incorporated into balanced scorecard. In this way you can connect your future security measures with your company security strategy.

3) You can design your own security metrics tree or use suggested in sample files, then you will have a Strategy Tree report. That shows all metrics and describe the measurement way.

4) Security experts can work with Strategy2Act software to do a real audit of your security. They can use Strategy2Act to assign their score for metrics. Once expert did this, he or she can generate a Scorecard report, which includes expert's scores together with total score (see "74 of 100" total score).

5) Also, two more report types are available. Full Report combines both - security metrics and experts scores. Report for PDA is a modified report that you can upload to your PDA to read it later.

6) If you want to design your own IT security metrics scorecard or invite expert to evaluate your company security in compliance with your security strategy tree, then you will need trategy2Act files, here is download URL: Security Metrics Balanced Scorecard.