Where relevant, using current business metrics (also) for information risk
and security purposes can be cost-effective if suitable raw data are already being gathered: the
additional analysis, reporting and use incur relatively little incremental cost, especially
if largely automated.
Corollary: when searching for metrics in any area of information risk and security, don't forget to check through existing business metrics alread in use for anything suitable, either as-is or with minor changes.
It would be easier to identify such metrics if the organization maintained a metrics inventory or database ...
No comments:
Post a Comment
Have your say!