31 January 2013

SMotW #42: Consequences of noncompliance

Security Metric of the Week #42: Historic consequences of noncompliance

The title or name of this metric is not exactly crystal clear.  We presume it involves totting-up the fines/penalties resulting from noncompliance to (information security relevant) legal, regulatory and contractual obligations.


Knowing how much security noncompliance is costing the organization might conceivably help management determine whether sufficient resources are being applied to compliance activities ... but the metric has a few issues.  

It is historical, for starters, and we're not certain that projected trends would be meaningful in this context.  Noncompliance incidents tend to occur sporadically or in clusters (since investigating one incident may dig up others) rather than regularly and predictably.  

The Time taken to identify/calculate and sum compliance costs is another concern

Fines and penalties are not the only costs of noncompliance.  Bad publicity resulting from enforcement notices can cause brand damage, but how much is anyone's guess.  It 

Running the metric through the PRAGMATIC process resulted in a score of 68%:

P
R
A
G
M
A
T
I
C
Score
70
80
72
82
80
80
20
67
65
68%

As compliance metrics go, this is not one of the best.





1 comment:

  1. Compliance when done for the right reasons can be seen as an ounce of prevention, although often is seen as a checklist and nothing more.

    Fines and penalties often are seen as the cost of business, whereas the system availability, or more specifically non-availability.

    ReplyDelete

Have your say!