What Actions Do Your Security Metrics Promote?

Thursday, July 12, 2012

Tripwire Inc


Article by Dwayne Melancon

I received a lot of comments and new ideas after my recent post on the 5 Characteristics of Effective Security Metrics.  

For example, I recently had a discussion on another forum regarding what you do with security metrics after you report on them.

In the interest of keeping the discussion going, I thought I’d relate some of that discussion here.  The premise is this:

“It is possible to focus on a single metric and drive it up or down, but wreak havoc on the organization through unintended side effects. Some organizations have to deal with some people “gaming the metrics”, which again can lead to unintended side effects. Other organizations use metrics as a way to begin a conversation: 'I notice that the x ratio went up last week – what’s behind that?'”

That’s a great point.  I am a firm believer that metrics, like statistics, don’t tell the whole story.  Effective metrics should drive behaviors, decisions, and help focus the quest for a deeper understanding of what’s going on behind the metrics.

Essentially, if you can create metrics that allow you to glance at a trend line and know whether things are OK and drive some smart questions when things don’t look right, you’re in pretty good shape.

I have a friend who can look at a balance sheet and tell you where the problems are with a business in about 5 seconds.  I don’t have that level of financial acumen, so I’d need to see a list that tells me something like:

  • Here are your top 5 indicators;
  • this is why they are important;
  • this is what ‘good’ looks like;
  • this is what ‘bad’ looks like; and
  • here are the relationships between those 5 indicators and what we’re doing in practice.

If I know these things, I can be effective in using the metrics to respond appropriately and make better decisions.  That’s what we’re trying to get achieve with security metrics.

Keep the conversation going – I’d love to hear from you.  Next time I’ll talk a bit about how metrics can influence cultural dynamics.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Industrial Control Systems
Enterprise Security Best Practices Controls Analytics metrics Information Security Intelligence Network Security Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.