Measuring Information Security: Guidelines to Build Metrics

Abstract

Measuring information security is a genuine interest of security managers. With metrics they can develop their security organization's visibility and standing within the enterprise or public authority as a whole. Organizations using information technology need to use security metrics. Despite the clear demands and advantages, security metrics are often poorly developed or ineffective parameters are collected and analysed . This paper describes best practices for the development of security metrics. First attention is drawn to motivation showing both requirements and benefits. The main body ofthis paper Iists things which need to be observed (characteristic of rnetrics), things which can be measurcd (how measurements can be conductcd) and stcps for the development and implcmentation ofmetrics (procedures and planning) . Analysis and communication is also key when using security metrics. Exam- pies are also given in order to develop a better understanding. The author wants to resume, continue and develop the discussion about a topic which is or increasingly will be a critical factor of success for any security managers in larger organizations.