The recognition of information assurance and information security has transitioned from an ancillary activity assigned to the IT department to a required business function with its own recognized cross-domain impact across an organization.  This can be seen flagrantly in the evolution of the NIST 800-53, where security has gone from a concept derived from the system development lifecycle to an enterprise-wide risk management concern (complete with a risk executive (function)).

The recognized importance of security and value now brings it under the purview of senior management.  Senior management requires dashboard level views of business functions to make strategic and tactical decisions.  This need is exactly why security metrics are critical to the success of an organizations information security plan.

Metrics enable a business to understand the condition and direction their security posture is and is heading, respectively.  Based on the insight aggregated metrics can provide, management can refine a process or procedure to be more effective, cost less or coupled with other redundant processes.

Per John McCumber’s methodology on implementing effective IT risk management, human factors are one third of the targeted areas to address.  Metrics are reportable, discussable, and often require human involvement for reporting and disseminating.  This provides direct awareness and involvement of the human factor elements of a business increasing the indirect value of the metrics.

I do not agree with a simplistic view of reported vulnerabilities found on an information system is a good security metric.  An information system with 100 low risk, low probability vulnerabilities is, in my opinion, more secure than an information system with 1 high risk, high probability vulnerability.

I would suggest to an organization that a security framework be implemented to effectively address their information security needs in an organized manner.  ISO 27001, CobIT, and NIST are all mature, proven security frameworks to select from.  An organization that implements a framework receives the ability to effectively capture metrics on the implementation and compliance with the security framework.  This gets to birds with one stone; a proven security framework and the ability to assess compliance, which yields metrics.

Bibliography

IT Governance Institute. (2007). CobIT 4.1. Rolling Meadows, IL: IT Governance Institute.

McCumber, J. (2005). Assessing and managing security Risk in IT Systems; a structured methodology. Florida: Auerbach Publications.

National Institute of Standards and Technology. (2007, December). NIST Publications. Retrieved November 19, 2009, from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

Payne, S. (2006, June 19). A Guide to Security Metrics. Retrieved February 6, 2010, from SANS Institute Infosec Reading Room: http://www.sans.org/reading_room/whitepapers/auditing/a_guide_to_security_metrics_55?show=55.php&cat=auditing