Here's the next security awareness paper in the series, describing metrics relating to contingency and business continuity management.
"Measuring the effectiveness of contingency arrangements is a tough challenge, not least because (like insurance policies) we hope we will never need to use them. However it makes sense to measure our investment in contingency plans and preparations, and to confirm whether management is sufficiently confident in them, prior to enacting them as by that stage it will be too late."
Possible contingency metrics suggested in the paper include:
- RTO and RPO - classic disaster recovery metrics in their own right
- Resilience - measured by incidents
- Recovery - proportions of systems for which RTP/RPO are defined, tested and met
- Costs - easier to measure than benefits, and yet an uncommon metric in practice
- Management confidence - to what extent do managers believe in the congtingency arrangements?
There are many other possible metrics in this area. What do you measure? Why? What do your contingency or business continuity metrics tell you?