METRICS AND ANALYSIS IN SECURITY MANAGEMENT

Similar documents
Strengthening Intelligence and Investigations with Incident Management Software

Your presenters. Brian McIlravey, CPP Executive Vice-President Former CEO PPM Brian Link VP, GRC Strategy Former E&Y Partner

How To Save Money At The University Of California

Global Security Program Overview

Enhancing Sales and Operations Planning with Forecasting Analytics and Business Intelligence WHITE PAPER

Enhancing Sales and Operations Planning with Forecasting Analytics and Business Intelligence WHITE PAPER

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

FINDING MEANINGFUL PERFORMANCE MEASURES FOR HIGHER EDUCATION A REPORT FOR EXECUTIVES

This report provides the project s findings, including its three practical, actionable products:

Continuous Network Monitoring

Strengthening Intelligence and Investigations with Incident Management Software

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

A Modern Sales Roadmap. 7 best practices to drive sales success. tellwise

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Assessing Your Business Analytics Initiatives

Mining productivity has declined 28% in the last 10 years. MineLens enables you to reverse the trend and improve productivity.

Leveraging Network and Vulnerability metrics Using RedSeal

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Legal exchange. Total Legal Spend Management Solution for Corporate legal departments

Customer Experience Strategy and Implementation

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Benchmarking Software Quality With Applied Cost of Quality

FFIEC Cybersecurity Assessment Tool

Bridging the gap between COTS tool alerting and raw data analysis

BUSINESS INTELLIGENCE: IT'S TIME TO TAKE PRIVATE EQUITY TO THE NEXT LEVEL. by John Stiffler

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

ASSET Connect. The next level in Critical Environment Operational Efficiency

Forward Thinking for Tomorrow s Projects Requirements for Business Analytics

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

Generating analytics impact for a leading aircraft component manufacturer

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Achieving High Performance: The Value of Benchmarking

How To Create An Insight Analysis For Cyber Security

NINE WAYS TO GET YOUR SALESPEOPLE TO FOLLOW UP ON MORE LEADS by Mari Anne Vanella The Vanella Group, Inc

Information Paper The Roles and Domain of the Professional Accountant in Business

Key Trends, Issues and Best Practices in Compliance 2014

How do you manage the growing complexity of software development? Is your software development organization as responsive to your business needs as

Governance, Risk, and Compliance (GRC) White Paper

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

"Why Didn't We Do It Sooner?" Deployment of a New BI Solution at The Pain Center of Arizona

Workforce Optimization Solution Capacity Planning for Policing Tool

HOW WELL DO YOU KNOW YOUR PROSPECTS?

Enterprise Risk Management

Evaluation of a BSC System and its Implementation

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Digital content is emerging as the newest strategic

HP and netforensics Security Information Management solutions. Business blueprint

Defending against modern cyber threats

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision of resources to support service requirements.

Realizing Hidden Value: Optimizing Utility Field Service Performance by Measuring the Right Things

Cybersecurity The role of Internal Audit

I D C M a r k e t S c a p e : W o r l d w i d e F i n a n c i a l S e r v i c e s C o n s u l t i n g V e n d o r A n a l y s i s

MarketsandMarkets. Publisher Sample

Measuring the Return on IT Security Investments. White Paper Intel Information Technology Computer Manufacturing Information Security

Cybersecurity Awareness for Executives

Frameworks and Maturity Models

Program and Project Management Practices in the Federal Civilian Agencies

Information Governance

WHITE PAPER. Payment Integrity Trends: What s A Code Worth. A White Paper by Equian

Intelligent Customer Function (ICF)

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Study Shows Businesses Experience Significant Operational and Business Benefits from VMware vrealize Operations

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

COMMERCIAL BANK. Moody s Analytics Solutions for the Commercial Bank

Incent Perform Grow. Predictive Analytics: Looking to the Future. Author: Bruce Jackson

Obtaining Enterprise Cybersituational

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Doing it Right Org Charting Best Practices

The Emergence of Security Business Intelligence: Risk

How To Handle A Threat From A Corporate Computer System

Client Onboarding Process Reengineering: Performance Management of Client Onboarding Programs

Navigating the big data challenge

Transcription:

WHITE PAPER METRICS AND ANALYSIS IN SECURITY MANAGEMENT By Brian McIlravey, CPP and Peter Ohlhausen

About the Authors: Brian McIlravey, CPP, is Co-CEO of PPM 2000 Inc. (www.ppm2000.com) and is responsible for driving strategic planning and product direction. He is a member of ASIS International s Information Security Technology Council and has experience in both corporate security and public law enforcement. Peter Ohlhausen is president of Ohlhausen Research, Inc. (www.ohlhausen.com), which for more than 20 years has provided research and consulting to the security, technology, and criminal justice fields. He formerly served as editor of Security Management, the monthly magazine of ASIS International. Published by PPM 2000 Inc. www.ppm2000.com For over twenty years, PPM has worked with organizations around the world using their knowledge of risk management, security management and loss prevention to provide high quality subject matter expertise in the design and application of Incident Reporting and Investigation Management software. Thousands of organizations have implemented a PPM solution, and the company s clients span all industries and the Fortune 1000. PPM is recognized by Microsoft as a Gold Independent Software Vendor. From incident reporting, to investigation management, to actionable business intelligence, PPM offers end-to-end Incident Management solutions for and from security professionals. For more information on Perspective by PPM 2000, contact PPM toll-free at 1-888-776-9776 or email information@ppm2000.com. Copyright 2012 PPM 2000 Inc.

Contents Executive Summary 7 The Power and Importance of Metrics and Analysis 8 Fortified Decision Making 11 Metrics as a Security Operations Tool 12 Metrics as Marketing for the Security Program 14 Developing Specific Metrics 17 Essential Ingredient: Data 20 From Data to Information: Analyzing Metrics 21 Getting Started 23 References 25 PPM 2000 Inc. 10088 102 Avenue, Suite 1307 Edmonton, Alberta T5J 2Z1 1 888 776 9776 information@ppm2000.com www.ppm2000.com

Executive Summary The use of metrics and analysis (MA) is a sophisticated practice in security management that takes advantage of data to produce usable, objective information and insights that guide decisions. In addition, MA provides chief security officers (CSOs) with clear evidence of their operations value, expressed in the language of top management. As Carnegie Mellon University notes, metrics are quantifiable measurements of some aspect of a system or enterprise Security metrics focus on the actions (and results of those actions) that organizations take to reduce and manage the risks of loss of reputation, theft of information or money, and business discontinuities that arise when security defenses are breached. Through MA, a CSO or other security professional can better understand risks and losses, discern trends and manage performance. He or she can also report clearly and accurately to executive management. These uses of MA all work to support the organization s strategic goals. Software designed specifically for the security field can make the gathering of security and risk-significant data orderly, convenient and accurate and hold the data in a format that facilitates analysis. Security and risk-focused incident management software offers both the standardization and consolidation of data. Such software also automates the task of analysis through trending and predictive analysis and the generation of customized statistical reports. This paper synthesizes the current MA literature in the security management field. It describes the use of metrics and analysis to: Improve decision making; Strengthen security operations; and Gain support for the security and risk management operation. It then describes the process of developing specific metrics, collecting and managing data and performing useful analyses with security risk-focused software. Metrics and Analysis in Security Management 7

The Power and Importance of Metrics and Analysis This paper examines key themes and thinking in the field of metrics and analysis (MA), focusing on applications in the domain of security management. The aim is to inform security professionals about a powerful practice that is becoming increasingly essential in competitive business environments and, in fact, is often demanded by executive management. The use of MA is part of a serious approach to security management. In contrast to more casual, gut-oriented approaches to security decision making, MA takes advantage of data to produce usable, objective information and insights that guide decisions. In addition, MA provides CSOs with clear evidence of their operations value, expressed in the language of top management. The Systems Security Engineering Capability Maturity Model, developed by a team headed by Carnegie Mellon University to advance security engineering, provides an especially clear view of metrics: WHY USE METRICS? Metrics and analysis provides CSOs with clear evidence of their operations value, expressed in the language of top management. What s the benefit of using metrics? Basically, to improve overall security and reduce costs. At a high level, metrics are quantifiable measurements of some aspect of a system or enterprise. For an entity (system, product, or other) for which security is a meaningful concept, there are some identifiable attributes that collectively characterize the security of that entity. Further, a security metric (or combination of security metrics) is a quantitative measure of how much of that attribute the entity possesses Raymond Musser, CPP Vice President, Security General Dynamics (Musser, 2011) Security metrics focus on the actions (and results of those actions) that organizations take to reduce and manage the risks of loss of reputation, theft of information or money, and business discontinuities that arise when security defenses are breached. They are useful to senior management, decision makers, users, administrators, or other stakeholders who face a difficult and complex set of questions regarding security, such as: How much money/resources should be spent on security? Which system components or other aspects should be targeted first? How can the system be effectively configured? How much improvement is gained by security expenditures, including improvements to security processes? 8 Metrics and Analysis in Security Management

How do we measure the improvements? Are we reducing our exposure? The MA approach results in business intelligence, which has been defined as (PPM 2000 Webinar, 2009): ALIGN STRATEGY AND PERFORMANCE The collection, integration, analysis, interpretation and presentation of business information to provide historical, current and predictive views of business operations, [and] the use of this information through extraction, analysis and reporting to support better business decision making. The insights and findings a CSO gains through MA can support activities both inside and outside the corporate security department. Inside the department, the CSO can better understand risks and losses, discern trends and manage performance based on actual measurements. Outside the department, the CSO can report clearly and accurately to executive management. Both the internal and external uses of MA work to support the organization s strategic goals. The related concept of benchmarking comparing one s organization with others in the same industry relies in part on using metrics. That comparison relies first of all on an understanding of one s own organization, and that understanding must be developed through MA. According to Hayes and Kotwica (2011), Business leaders recognize benchmarking as a proven business practice that can identify competitive strengths and vulnerabilities as well as opportunities for improvement But while the demand for performance measures has trickled down to the security function, the appreciation for them hasn t always come along for the ride. Too many security leaders create or find benchmarks for the sole purpose of appeasing their bosses rather than from an earnest desire to use these tools to explore what others are doing, address potential gaps and add value. [C]orporate performance metrics [was] the topic tackled by the most recent Blue Ribbon Commission at the National Association of Corporate Directors (NACD). Why corporate performance metrics? Because they link corporate strategy and corporate performance Strategy is about the future, performance is about the past and metrics align the two. Financial Executive (Daly, 2011) It is important to remember that MA consists of both metrics and analysis. Hayes and Kotwica emphasize that point with the example of benchmarking on corporate ethics hotlines. The benchmark report may suggest that the average organization of a certain size and industry receives eight to nine calls to the corporate ethics hotline per thousand employees. If a particular company receives only three calls per thousand employees, analysis is warranted. Does the company have fewer ethics problems than its peers? Are employees intimidated into not reporting their concerns? Is the hotline underpublicized? Metrics and Analysis in Security Management 9

In the MA approach, which is relatively new, key terminology is not completely settled. On one hand, Payne (2006) observes: Measurements provide single-point-in-time views of specific, discrete factors, while metrics are derived by comparing to a predetermined baseline of two or more measurements taken over time. Measurements are generated by counting; metrics are generated from analysis. In other words, measurements are objective raw data and metrics are either objective or subjective human interpretations of those data. In Security Metrics Management: How to Manage the Costs of an Assets Protection Program, Kovacich and Halibozek (2005) define a metric as a standard of measurement using quantitative, statistical, and/or mathematical analyses. In their taxonomy, a security metric is, MAKE BETTER DECISIONS Analytics: Using data and quantitative analysis to support decision making. Benefits: The application of quantitative, statistical, and/or mathematical analyses to measuring security functional costs, benefits, successes, failures, trends and workload in other words, tracking the status of each security function in those terms. On the other hand, the National Institute of Standards and Technology (2008) states that while a case can be made for using different terms for more detailed and aggregated items, such as metrics and measures, [this report] standardizes on measures to mean the results of data collection, analysis, and reporting. The same source refers to the process of data collection, analysis and reporting as measurement. Harvard Business Review refers to analytics rather than metrics and analysis (Davenport & Harris, 2010). The terminology will likely continue to evolve. Despite the clear value of MA, one source suggests that only about a third of CSOs collect and analyze metrics (Kohl, 2009). Specifically, in a survey by the Security Executive Council (SEC), only 31 percent of survey respondents gather security program data in order to create statistical reports to present to senior management. Decisions are more likely to be correct. The scientific method adds rigor. Caution: Correct assumptions are crucial. If you don t assess the results of your changes, you re unlikely to achieve better decisions. Regarding the significance of that finding, Kohl quotes SEC spokesmen as follows: [I]t should be more than a wake-up call that 69 percent said they don t collect information it should be an alarm... [A] large percentage didn t collect data because management hadn t asked for it. That may mean management isn t even aware that security has metrics that may impact the business, or it Harvard Business Review (Davenport, 2009) 10 Metrics and Analysis in Security Management

may mean that security is being left out of the mainstream of the organization... [S]ome security managers don t know what metrics are or how they should gather or report metrics, and that will require some training and education. [O]ther security managers feel that collecting metrics is more work than they want to do, [but if] your management has an interest or develops an interest in this area, you d better be ready to respond. The practice of MA is more advanced in the field of information technology security than in the field of corporate security as a whole. Although much of the research conducted so far on MA has been focused on IT, a growing interest in studying MA s application to security management is evident in an expanding focus on the subject in security conferences and publications. This paper synthesizes the current MA literature primarily in the security management field and also adds insights from more foundational IT MA sources. The sections that follow address six key aspects of this management tool: Fortified Decision Making Metrics as a Security Operations Tool Metrics as Marketing for the Security Program Developing Specific Metrics Essential Ingredient: Data From Data to Information: Analyzing Metrics The paper then presents recommendations on how to start employing metrics and analysis in security. A list of sources for additional information concludes the paper. Fortified Decision Making How can security managers make decisions that are more likely to lead to success? What, specifically, leads to better decisions? In the Harvard Business Review, Davenport and Harris (2010) report results from their study of 400 companies in 35 countries and 19 industry sectors. They found that better decisions emerge when companies systematically: How can security managers make decisions that are more likely to lead to success? What, specifically, leads to better decisions? In the Harvard Business Review, Davenport and Harris (2010) report results from their study of 400 companies in 35 countries and 19 industry sectors. They found that better decisions emerge when companies systematically: Identify their critical decisions. Inventory those decisions that require analytical help. Intervene where needed. Institutionalize what was learned. Identify their critical decisions. Inventory those decisions that require analytical help. Metrics and Analysis in Security Management 11

Intervene where needed. Institutionalize what was learned. Emphasizing the analytical help mentioned in the second step, the authors note that those who view analytics as just reporting on past performance don t understand the full scope and value of analytics. Analytics, they explain, has descriptive, predictive and prescriptive properties. Descriptive analytics describe past performance. Predictive and prescriptive analytics examine data to determine significance: Predictive analytics which include forecasting, predictive modeling, and optimization are focused on the future. The use of predictive analytics takes an organization to a higher degree of intelligence and can yield competitive advantage. Thus, analytics based on metrics, which this paper refers to as MA, appears to be an essential, foundational step in optimal decision making. Metrics as a Security Operations Tool Predictive analytics which include forecasting, modeling, and optimization are focused on the future. The use of predictive analytics takes an organization to a higher degree of intelligence and can yield competitive advantage. Harvard Business Review (Davenport & Harris, 2010) Metrics and analysis (MA) can guide decisions regarding security operations in both specific and general ways. For example, at Delta Air Lines, MA is used to guide policy making. According to Kim Hodgkin, Delta s Manager of Security Administration, the company tracks compliance issues, accidents, medical emergencies, financial crimes and other losses. He notes, Based on our metrics and analysis, we make recommendations to security leadership and other divisions. Changes suggested by MA include improved employee training, changes to screening methods, security awareness messages, and targeted investigations (Hodgkin, 2011). Similarly, Treece and Freadman (2010) describe the use of metrics and analysis at the Massachusetts Port Authority (Massport) to solve the specific problem of security door alarms. They report that Massport greatly reduced such alarms through the analysis of alarm metrics. That analysis helped security management determine the cause of each type of alarm and develop solutions to eliminate or reduce them. Analysis of detailed door transaction data, including video, showed the causes of alarms. That understanding led to a variety of corrective 12 Metrics and Analysis in Security Management

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information