Security Metrics

In our recent FISMA audit at work, KPMG didn’t like the vulnerability remediation report that I create each month for the Infosec group. They wanted more metrics, but their examples of metrics were very similar to what I already do.
Flash forward a few weeks, and we have a CEO who is very interested in number… in metrics.
I spend a lot of time on putting together the Infosec report, but I have to question whether some of the numbers prove anything other than that the products in question are still collecting data.
So to meet these two demands for metrics, I’m searching high and low. This will have to be an off hours project. At work, I my top two tasks right now are writing an incident response plan and selecting a FDE product. That doesn’t leave a lot of spare time.
So I’ve spend some time over at I’ve read the reviews of “Security Metrics: Replacing Fear, Uncertainty, and Doubt” over at Amazon. I’ve looked at A Few Good Metrics over at CSOonline.
I’m wondering if its worth getting the book or if I should just read NIST 800-80, “Guide for Developing Performance Metrics for Information Security” and 800-55 “Security Metrics for Information Technology Systems”.
I do believe the right Metric can provide insight, and be a true measuring stick for the infosec program. I’m just afraid that Metrics done poorly will lead to spending a lot of time gathering arcane correlations that no one will read and will mean nothing.

One Comment

  1. It sounds like your problem is a “Not Invented Here” on the side of the auditors–it’s not in the format that they want. Personally, I could care less–the metrics are for you and your organization to determine the effectiveness of your security program. The problem comes when you are evaluated by the auditors, and the way auditors are, if they can’t understand it, you don’t get credit for it.
    Please read Jacquith’s book. He’s pretty smart about these things and lists what good metrics are. has an email list that you can ask questions on. Every one of the people on the list are very smart and very good at metrics.

Comments are closed.