Security metrics are important to measure and evaluate the effectiveness of the security measures, and are required to provide a quantitative and unbiased basis for security operations since they aid in decision making and maintenance of security operations within an organization (Moeti & Kalema, 2014). These metrics help determine if the security components meet their objectives and also avoid doing what they weren’t intended to do. Thus, security and risk metrics play a very important role in assessing the actual state of the system security (Moeti & Kalema, 2014).
4.1 Baseline Metric Framework
Meaningful metrics are required to uniquely measure results specific to a security control and determine if it meets the security control process objectives (Hajdarevic & Allen, 2013). According to Pironti …show more content…
An example of organization metric would be the measure of effective communication of security protocols to be followed in an organization.
• Operational Metrics – These metrics evaluate the effectiveness of the controls implemented to protect an organization’s information infrastructure. Example: Number of intrusions detected by monitoring systems.
• Technological Metrics – Measure of the effectiveness of technological controls in place to protect the organization’s IT infrastructure. Example: Number of spam emails successfully filtered by spam email filtering tool.
• Business Process Metrics – These metrics measure the impact of information security activities on the performance of a specific business process. Example: Operational cost incurred due to introduction of strong authentication process.
• Business Value Metrics – Measures the direct business impact due to information security activities. Example: Number of negative media articles published about organization’s information