Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Feb 12, 2014

PRAGMATIC Security Metric of the Quarter #7

PRAGMATIC Information Security Metric of the Seventh Quarter


According to the overall PRAGMATIC scores assigned by ACME's managers, the latest metric discussed was the top choice in the three months just past, but it was a close-run thing:

Example metric P R A G M A T I C Score
Information security incident management maturity 90 95 70 80 90 85 90 85 90 86%
Information security ascendancy 97 87 15 94 86 90 99 97 99 85%
Quality of system security 83 88 83 73 90 68 80 82 10 73%
Integrity of the information asset inventory 82 66 83 78 80 43 50 66 70 69%
Proportion of systems security-certified 72 79 73 89 68 32 22 89 88 68%
Number of different controls 71 75 72 75 88 30 50 65 43 63%
Controls consistency 78 83 67 60 71 33 27 31 27 53%
Value of information assets owned by each Information Asset Owner 48 64 78 57 79 38 50 22 26 51%
Number of information security events and incidents 70 60 0 50 72 35 35 70 50 49%
% of business units using proven identification & authentication 69 73 72 32 36 4 56 2 50 44%
Distance between employee and visitor parking 1 0 6 93 2 93 66 45 66 41%
Employee turn vs account churn 30 30 11 36 44 36 62 57 20 36%
Non-financial impacts of information security incidents 60 65 0 20 60 6 30 20 17 31%



"Maturity of the organization's information security incident management activities" seems to us to be an excellent proxy or indicator for the organization's overall approach to information security. The maturity scoring process we have described makes this a valuable metric, not just in terms of the final maturity rating but also the additional information that emerges when comparing current practices against accepted good practices.

Just as interesting are the metrics languishing at the bottom of the league table. For example, "Non-financial impacts of incidents" may appear, at first glance, to hold considerable promise as a security metric but the PRAGMATIC score clearly indicates ACME management's severe misgivings once they explored the metric in more detail.

Instead of simply selecting metrics on the basis of their the overall PRAGMATIC scores, management could instead select high-rating metrics for any one of the individual PRAGMATIC criteria, or any combination thereof - for example, 'information security ascendancy' is rated the most predictive and cost-effective security metric of this little lot.

In researching and developing the PRAGMATIC method for the book, we explored the possibility of weighting the PRAGMATIC ratings in order to place more or less emphasis on the criteria. There may be situations where that is a sensible approach but, in the end, we decided that the overall PRAGMATIC score was the most valuable and straightforward metametric.