Information Security Metrics

1
Information Security Metrics
2
Why Measure Information Security

• Improve accountability for security
• Better administer the security budget
• Allow to measure success/failure of investments
  made
• Give a business value to security
• Assess effectiveness of implemented processes,
  procedure and controls
• Standard Compliance (ISO 27001)?

3
Why Measure Information Security (2)?

• Ability to isolate problems
• End up with data you can reuse -)?
• Benchmarking
• Ability to track the risk profile
• Show commitment to proactive information security

4
Security Metrics? What's That?

• Not shared understanding of
• What they mean
• What we can/should measure
• How to define them
• What to do with the measurement

5
Defining Security Metrics

• Many definitions
• Quantitative vs Qualitative
• Thinkers vs Feelers
• Simple vs Complex

• Metrics are a system of parameters or ways of
  quantitative and periodic assessment of a process
  that is to be measured, along with the procedures
  to carry out such measurement and the procedures
  for the interpretation of the assessment in the
  light of previous or comparable assessments
  (Wikipedia)?
• Monitor and measure implementation effectiveness
  of security controls within the context of the
  security program (NIST)?

6
Lots to Measure Here!

• Information Security Management System
• Management Processes
• Business Processes
• Procedures
• Policies

• Technical Controls
• Level of Implementation
• Effectiveness/Efficiency
• Impact
• User compliance
• etc.

7
Classification of Security Metrics

• NIST
• Implementation, Effectiveness/Efficiency, Impact
• 17 security control families
• Time dimension
• BSI (ISO 27001)?
• Management controls, business processes,
  operational controls, technical controls, audits
  review and testing
• 11 control objectives
• Implementation, Effectiveness and Performance

8
Security Metrics for ISO 27001
9
Developing Security Metrics I

• Implementation Metrics
• Effectiveness and Efficiency Metrics
• Impact Metrics
• What do we measure?
• Single Controls
• Multiple Controls

NIST
10
Developing Security Metrics II

• ISMS Metrics
• Performance and Effectiveness
• Not Implementation
• Controls Metrics
• Effectiveness and Implementation
• Control or groups of controls

BSI-ISO27001
11
What's in a Metric
12
Conclusions...

• Adopt a security metrics model (NIST/BSI)?
• Included definition
• Support for metrics development and follow up
• What to measure
• Not necessarily control specific
• May aggregate more than one control according to
  goals
• Start with high-priority controls/goals first
• Linked to business objectives (Involve
  stakeholders)?

13
...conclusions

• Types of Metrics
• Implementation, effectiveness, efficiency and
  impact
• Implementation
• May be phased according to system's maturity
• Remember data may not be available
• Start from processes that are stable and from
  which data can be realistically obtained

14
References

• NIST-SP 800-80 Guide for Developing Performance
  Metrics for Information Security (2006)?
• Metrics templates and examples
• NIST SP 800-55 Security Metrics Guide for
  Information Technology Systems (2003)?
• Security Metrics Programme, sample IT security
  metrics
• Humphreys T, Plate A 2006. Measuring the
  effectiveness of your ISMS implementations based
  on ISO/IEC 27001. British Standards Institution.
• PDCA model, sample metrics
• Security Metrics portal
• http//teaching.shu.ac.uk/aces/ag/securitymetrics/