1st Edition

Information Security Management Metrics A Definitive Guide to Effective Security Monitoring and Measurement

By W. Krag Brotby Copyright 2009
    244 Pages 14 B/W Illustrations
    by Auerbach Publications

    Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical.

    Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides anyone with security and risk management responsibilities insight into these critical security questions:

  • How secure is my organization?
  • How much security is enough?
  • What are the most cost-effective security solutions?
  • How secure is my organization?
  • You can’t manage what you can’t measure

    This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization’s business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response.  

    The book ensures that every facet of security required by an organization is linked to business objectives, and provides metrics to measure it. Case studies effectively demonstrate specific ways that metrics can be implemented across an enterprise to maximize business benefit.

    With three decades of enterprise information security experience, author Krag Brotby presents a workable approach to developing and managing cost-effective enterprise information security.

    Introduction
    Governance
    Metrics Overview
    Defining Security
    Is there a solution?
    SECURITY METRICS OVERVIEW
    Metrics and Objectives
    Information Security
    Security
    Why the IT metric focus
    Other assurance functions
    Stakeholders
    SECURITY METRICS
    Security Program Effectiveness
    Types of Metrics
    Information Assurance / Security Metrics Classification
    Monitoring vs. Metrics
    CURRENT STATE OF SECURITY METRICS
    Quantitative Measures and Metrics
    Performance Metrics
    Financial Metrics
    Return on Security Investment (ROSI)
    A new ROSI model
    Security Attribute Evaluation Method (SAEM)
    Cost-Effectiveness Analysis
    Fault Tree Analysis
    Value at Risk (VAR)
    ALE / SLE
    Other Value Metrics
    Limitations of existing approaches
    Qualitative Security Metrics
    Cultural Metrics
    Risk Management through Cultural Theory
    The Competing Values Framework
    Organizational Structure
    WIND
    STORM
    Hybrid Approaches
    Systemic Security Management
    Balanced Scorecard
    The SABSA Business Attributes Approach
    Quality Metrics
    Six Sigma
    ISO 9000
    Quality of Service (QOSS)
    Maturity Level
    Benchmarking
    Standards
    OCTAVE
    METRICS DEVELOPMENTS
    Statistical Modeling
    Phase Transitions in Operational Risk
    Adequate Capital and Stress Testing for Operational Risks
    Functional correlation approach to operational risk in banking organizations
    Systemic Security Management
    Value at Risk Analysis
    Factor Analysis of Information Risk (FAIR)
    Risk Factor Analysis
    Probabilistic Risk Assessment (PRA)
    RELEVANCE
    Problem Inertia
    Correlating Metrics to Consequences
    THE METRICS IMPERATIVE
    Study of ROSI of Security Measures
    Resource Allocation
    Managing without Metrics
    ATTRIBUTES OF GOOD METRICS
    Metrics Objectives
    Measurement Categories
    How can it be measured?
    What is being measured?
    Why is it measured?
    Who are the recipients?
    What does it mean?
    What action is required?
    INFORMATION SECURITY GOVERNANCE
    Security Governance Outcomes
    Defining Security Objectives
    Sherwood Applied Business Security Architecture (SABSA)
    CobiT
    ISO 27001
    Capability Maturity Model
    Metrics and Strategy
    Governance Metrics
    Strategic Alignment
    Risk Management
    Value Delivery
    Resource Management
    Performance Measurement
    Assurance Process Integration (convergence)
    METRICS DEVELOPMENT – A DIFFERENT APPROACH
    Activities Requiring Metrics
    INFORMATION SECURITY GOVERNANCE METRICS
    Strategic Security Governance Decisions
    Strategic Security Governance Decision Metrics
    Security Governance Management Decisions
    Strategic Direction
    Ensuring Objectives are Achieved
    Managing Risks Appropriately
    Using Resources Responsibly
    Security Governance Operational Decisions
    INFORMATION SECURITY RISK MANAGEMENT
    Information Security Risk Management Decisions
    Information Security Risk Management Metrics
    Criticality of assets
    Sensitivity of assets
    The nature and magnitude of impacts
    Vulnerabilities
    Threats
    Probability of Compromise
    Strategic initiatives and plans
    Acceptable levels of risk and impact
    Information Security Operational Risk Metrics
    Internal Fraud
    External Fraud
    Employment Practices and Workplace Safety
    Clients, Products & Business Practice
    Damage to Physical Assets
    Business Disruption & Systems Failures
    Execution, Delivery & Process Management
    INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS
    Program Development Management Metrics
    Program Development Operational Metrics
    INFORMATION SECURITY PROGRAM MANAGEMENT METRICS
    Security Management Decision Support Metrics
    CISO Responsibilities
    CISO Decisions
    Strategic alignment
    Case Study
    Risk Management
    Metrics for Risk Management
    Organizational risk tolerance
    Resource valuation
    Comprehensive risk assessment
    Effectiveness of mitigation efforts
    Assurance Process Integration
    Value Delivery
    Resource Management
    Performance Measurement
    Information Security Management Operational Decision Support Metrics
    IT and Information Security Management
    Compliance Metrics
    Criticality and Sensitivity
    Risk Exposure
    The state of compliance
    Case Study
    Personnel Competence
    Resource adequacy
    Metrics Reliability
    Procedure functionality, efficiency, and appropriateness
    Strategic Performance Measures
    Tactical Performance Measures
    Key Control Effectiveness
    Control Reliability
    Control Failure
    Management Effectiveness
    INCIDENT MANAGEMENT AND RESPONSE
    Incident Management Decision Support Metrics
    CONCLUSIONS
    APPENDIX A. METRICS CLASSIFICATIONS
    IA Program Developmental Metrics
    Support Metrics
    Operational Metrics
    Effectiveness Metrics
    Metrics for Strength Assessment
    Metrics for Features in Normal Circumstances
    Metrics for Features in Abnormal Circumstances
    Metrics for Weakness Assessment
    APPENDIX B. CULTURAL WORLDVIEWS
    Hierarchists
    Egalitarians
    Individualists
    Fatalists
    APPENDIX C. THE COMPETING VALUES FRAMEWORK
    Vertical: Stability/Flexibility
    The Competing Values map
    Hierarchy
    Market
    Adhocracy
    APPENDIX D. THE ORGANIZATION CULTURE ASSESSMENT INSTRUCTION (OCAI)
    APPENDIX E. SABSA BUSINESS ATTRIBUTE METRICS
    APPENDIX F. CAPABILITY MATURITY MODEL

    Biography

    CISM Brotby, W. Krag