The use of metrics and analysis (MA) is a sophisticated practice in security management that takes advantage of data to produce usable, objective information and insights that guide decisions. In addition, MA provides chief security officers (CSOs) with clear evidence of their operations’ value, expressed in the language of top management.
As Carnegie Mellon University notes, “metrics are quantifiable measurements of some aspect of a system or enterprise… Security metrics focus on the actions (and results of those actions) that organizations take to reduce and manage the risks of loss of reputation, theft of information or money, and business discontinuities that arise when security defenses are breached.”
Through MA, a CSO or other security professional can better understand risks and losses, discern trends and manage performance. He or she can also report clearly and accurately to executive management. These uses of MA all work to support the organization’s strategic goals.
Software designed specifically for the security field can make the gathering of security and risk-significant data orderly, convenient and accurate—and hold the data in a format that facilitates analysis. Security and risk-focused incident management software offers both the standardization and consolidation of data. Such software also automates the task of analysis through trending and predictive analysis and the generation of customized statistical reports.
This paper synthesizes the current MA literature in the security management field. It describes the use of metrics and analysis to:
It then describes the process of developing specific metrics, collecting and managing data and performing useful analyses with security risk-focused software.