SMotW #82: non-financial impacts

Security Metric of the Week #82: non-financial impacts of information security incidents

You may genuinely believe that "In the end, it all comes down to money" and, in respect of our capitalist society and commercial organizations at least, you have a point. Money is the near-universal unit of measurement, valuation and comparison, undoubtedly an important parameter. However, "There's more to life than money" and more at stake than simply returning a profit.  This metric attempts to measure the broader effects of information security incidents, other than their financial impacts. 

Consider the following examples to understand what the metric might attempt to measure:

• In addition to the financial costs and penalties arising from privacy breaches, individuals' personal interests and wellbeing are harmed, corporate reputations and brands suffer, and society as a whole is impoverished by the erosion of trust;
• When government departments and non-profit organizations suffer privacy incidents, the financial aspects tend to be minor or negligible considerations;
• Viruses, human errors or hacks of SCADA/ICS systems can result in environmental disasters and harm that no amount of money will solve;
• Even though short-term performance constraints in a transactional retail website may not cause a material loss of income, delays and frustration are hardly going to enhance customer satisfaction and loyalty;
• The financial costs, while considerable, are not the most important fallout from recent unauthorized public disclosures concerning the NSA's surveillance activities;
• When a 'silver surfer' suffers a hard drive failure that destroys their unique and irreplaceable stash of family snapshots, the direct financial costs in replacing the broken disk are immaterial;
• If a teen's, celebrity's or politician's sexting somehow finds its way onto the Internet, the personal embarrassment and perhaps career-limiting knock-on effects are far more than purely monetary. Along with bullying and taunting, such incidents can literally be life-changing if not life-threatening.

ACME's managers scored the metric a lowly 31%:

P	R	A	G	M	A	T	I	C	Score
60	65	0	20	60	6	30	20	17	31%

They must have been in a distinctly cynical frame of mind to rate the metric a resounding zero for Actionability: there are things that can and should be done to limit non-financial impacts of incidents, and the metric could provide a rough guide as to how much effort and resources to invest in that area. Remember, though, that ACME Enterprises Inc. is a typical (if fictional) commercial organization, perhaps implying a myopic management focus on numbers preceded by dollar signs.

They were similarly unimpressed with the Accuracy of this metric. Measuring the full financial impacts of security incidents is hard enough; how would one even start to measure non-financial effects?  [Actually, it's not as tricky as one might think. One measurement approach might be to use scales indexed with specific examples of various kinds of non-financial impact, enabling the metrician to rate or score actual incidents relative to the examples. Victims' impressions or perceptions of lasting harm can be measured by survey techniques.]

Whereas we have picked out this metric for discussion and scoring in isolation, in practice it would probably be considered and used alongside its non-identical twin "Financial impacts of information security incidents". The PRAGMATIC approach works equally as well for linked or complex metrics, despite the need to take account of additional options and factors. Taking things up a level or two, it might be interesting to analyze an organization's overall approach to information security metrics - or indeed all forms of metrics - in PRAGMATIC terms. Organizations with a highly mature approach to metrics might address rhetorical questions such as "How Cost-effective are our metrics?" and "Are our metrics sufficiently Predictive and Genuine?" in a systematic, strategic manner.