Biological metrics - commonly shortened to "biometrics" - comprise an interesting class of information security metrics that, unfortunately, we didn't have space to explore in our book. Biometrics are commonly used for strong authentication in situations where there is a genuine need to authenticate and distinguish legitimate people from impostors.
Take for example your heart rhythm. According to the blurb on the Bionym website "Bionym has developed the first wearable authentication device that utilizes a user's Electrocardiogram (ECG) to validate a person’s identity." Before reading that, I didn't even appreciate that heart rhythm was a reliable biometric. I presume the Nymi can cope with heart rate changes caused by stress, exercise, rest, drugs such as caffeine, and some medical conditions - it does at least have the advantage of collecting biometric data over a sustained period, but as with any biometric, there must surely be some important tolerance parameters in there due to natural variations and the accuracy constraints of measurement. I wonder if patients with pacemakers have less-unique ECGs? I wonder if Nymi sounds the alarm if the wearer suffers an obvious cardiac incident? The site mentions that it guards against electronic spoofing, but I wonder how the Nymi prevents replay of captured ECGs? As always with cryptography, many security concerns may arise from the implementation details, particularly the concessions made for practical reasons of cost and utility. I have no reason to doubt that Bionym have covered all the bases, but thanks to the 'security mindset' I'm naturally curious, dubious and perhaps even a touch cynical about their marketing claims.
Talking of being security-minded, Bionym's comparison to fingerprints ("Your cardiac rhythm is protected inside your body, making it almost impossible to steal, mimic or circumvent. In comparison, a fingerprint is left on every surface a user touches") reminds me that biometric data are sensitive by nature (terrible pun intended!). Should we now be concerned about protecting our ECG records at the surgery, in the same way that we perhaps ought to worry about our iris and retinal patterns at the optometrist, and our dental records at the dentist? Do powerful heads of state have teams of DNA flunkies following them wherever they go to secure all the cellular detritus they inevitably shed and leave behind?
In the same vein (yes, an even worse pun), many other information security metrics are themselves sensitive, valuable information that almost certainly deserves to be secured. Imagine the mischief that someone could cause if they ascertained your organization's risk catalog, its IT audit reports, or the results from vulnerability scans and penetration tests. Therefore, when specifying and designing an information security measurement system, don't forget to consider the associated information security risks and controls.
PS I have no affiliation with or commercial interest in Bionym or Nymi. I hadn't even heard of them before reading Brian Honan’s Security Watch blog this morning. Thanks Brian!