Having just discussed our fifty-second Security Metric of the Week here on the blog, it's time now to announce our top-rated example security metrics from the past year.
<Cue drum roll>
The PRAGMATIC Security Metric of the Year, 2013, is ... "Security metametrics"
<Fanfare, riotous applause>
Here are the PRAGMATIC ratings for the winner and seven runners-up, all eight example metrics having scored greater than 80%:
|Access alert message rate||87||88||94||93||93||94||97||89||79||90%|
|Business continuity maturity||90||95||70||80||90||85||90||87||90||86%|
|Asset management maturity||90||95||70||80||90||85||90||85||90||86%|
|Infosec compliance maturity||90||95||70||80||90||85||90||85||90||86%|
|Physical security maturity||90||95||70||80||90||85||90||85||90||86%|
|HR security maturity||90||95||70||80||90||85||90||85||90||86%|
Before you rush off to implement these eight metrics back at the ranch, please note that the PRAGMATIC scores were calculated in the context of an imaginary organization, ACME Enterprises Inc. They reflect ACME's situation, and ACME management's perspectives, understanding, prejudices and measurement objectives. They are merely worked examples, demonstrating how to apply the PRAGMATIC method in practice. You may well already have better security metrics in place, and we know there are many other excellent security metrics - not least because there are other high-scoring examples in the book! In short ...
Y M M V
Your Metrics May Vary
You have no doubt noticed that five of the top eight are "maturity metrics", and if we include "security metametrics", fully six of the top eight are our own invention ... which probably reveals a bias in the way we scored and ranked the metrics. These six are our babies and, naturally, we love them to bits, warts and all. We are blind to their imperfections. On the other hand, using the PRAGMATIC approach, we have elaborated in some detail on why we believe they are such strong candidates for ACME's information security measurement system. We've shown our workings, and actively encourage you to review and reconsider these and other candidate metrics in your own contexts.
It might be nice if we could develop and agree on a comprehensive suite of universally-applicable information security metrics, particularly as we now have a more rational approach than "Trust us, these are great security metrics!" However, that may be just a pipe-dream since we are all so different. Is it realistic to presume that the half-dozen information security metrics that have been chosen by, say, a small charity would also feature among the two dozen selected by a large bank, or the four dozen imposed on a government department by some regulatory authority? We suspect not, but having said that we would be delighted to reach a consensus on a handful of PRAGMATIC security metrics that have proven themselves invaluable to almost everyone.
OK, that completes the first year of our cook's tour of information security metrics. In the months ahead, we plan to continue discussing and scoring other example metrics from the book, along with various others that pop into our consciousness from time-to-time. If you'd like us to consider and score your favorite information security metric, then why not join the security metametrics discussion forum and tell us all about it? Does yours score above 80%? What makes it shine?