Security Metric of the Week #36: business continuity expenditure
At first glance, this looks like a must-haveinformation metric: surely expenditure on business continuity is something that management can't possibly do without? As far as ACME Enterprises is concerned, this metric warrants a fairly high PRAGMATIC score of 71%, making it a strong candidate for inclusion in ACME's information security measurement system.
It has its drawbacks, however. Determining BC expenditure accurately would be a serious challenge, but thankfully great precision is probably not necessary in this context: estimations and assumptions may suffice. Still, it would be handy if the accounting systems could be persuaded to regurgitate a sufficiently credible and reliable number on demand. Furthermore, it is not entirely obvious what management is expected to do as a result of the metric, at least not unless the business benefits of business continuity are also reported. The net value of business continuity, then, could be an even better metric.