Example Information Security Metric of the Fifth Quarter
The PRAGMATIC scores for another 3-month's worth of information security metrics examples are as follows:
Top of the heap are two maturity metrics scoring 85% and 86%, with a further 3 metrics also scoring in the 80's.
While it is tempting to recommend these and other high-scoring metrics to you, dear reader, please bear in mind that they were scored in the context of a fictional manufacturing company, Acme Enterprises Inc. The scores reflect the perceptions, prejudices, opinions and needs of Acme's managers, given their current situation. Things are undoubtedly different for you. We don't know what's really important to you, your managers and colleagues, about information security. We have no idea which aspects are of particular concern, right now, nor what might be coming up over the next year or three. Hence we encourage you to think critically about the way we describe the metrics, and preferably re-score them.
Furthermore, PRAGMATIC scores alone are not necessarily a sound basis on which to select or reject metrics. It's not that simple, unfortunately, despite what you may think given the way we bang on and on about PRAGMATIC! The scores are intended to guide the development of an information security measurement system, a well-thought-out suite of metrics plus the associated processes for measuring and using them. Considering and scoring each security metric in isolation does not build the big picture view necessary to measure information security as a coherent and integral part of the organization's management practices.
The book describes PRAGMATIC scoring as the heart of a comprehensive method, an overall approach to information security metrics. The method starts by figuring out your metrics audiences and their measurement requirements, building a picture of what you are hoping to achieve. Knowing why certain security metrics might or might not be appropriate for your organization is arguably even more important than knowing which specific metrics to choose ... but, that said, the act of gathering, contemplating, assessing and scoring possible metrics turns out to be a productive way both to determine and to fulfil the needs. It's a deliberately pragmatic approach, a structured method that achieves a worthwhile outcome more effectively and efficiently than any other approach, as far as we know anyway. Perhaps you know different?
No comments:
Post a Comment
Have your say!