One of the themes pervading our book PRAGMATIC Security Metrics is that each organization needs to figure out for itself which metrics are worth pursuing, preferably using a systematic approach that takes into account the goals and objectives of information security ... which differ from organization to organization, hence unfortunately there is no universal answer to the question "Which are the best security metrics?" Those of you who expect an easy ride to metrics nirvanah are going to be disappointed, I'm afraid, but the PRAGMATIC method does at least let you cut a few corners while avoiding the ditches.
That said, occasionally we come across security metrics that stand out as being more widely applicable than most. Intriguingly they are not, necessarily, the security metrics that most organizations are currently using: I'm talking here about genuine value and utility, not popularity.
The green pie chart illustrates a single example to whet your appetite, a metric that is deceptively simple, fairly cheap and easy to generate, that is closely linked to the organization's information security status, one that speaks volumes in almost any organization, and yet one that isn't commonplace. The metric is <cue drum roll> policy quality. Find out more about this metric and many others in the book or on the PRAGMATIC metrics blog.
The reason* for bringing it up here is to make the points that (a) some security metrics probably deserve wider recognition, and (b) the PRAGMATIC method is a structured, rational and consistent way to determine, express and discuss the strengths and weaknesses of individual metrics.
From time to time, various organizations have compiled metrics catalogs or recommended certain metrics, but their reasoning typically varies from case to case, assuming they even bother to explain or justify their choices. It's much the same with "best practices": what's best for you may not be best for me, because we are in different situations. It comes back to each organization's particular goals and objectives for information security, unique risk management challenges and constraints, differing maturity ...in short, context.
That said, I personally feel "policy quality" probably qualifies as a universally-beneficial security metric since (as explained in the metrics blog) security policies are an extremely valuable and important component of virtually all information security programs, and this metric is a great way to measure and improve them.
So, what are your favorite information security metrics, or more specifically which ones would you say are universally valuable, and why? Comments welcome!
Gary Hinson CISSP
* Apart from the blatant self-promotion. Please forgive my obvious fascination with this topic. I'm passionate, borderline obsessive about security metrics.