What is it?
A quantifiable measurement used to help organizations evaluate performance.
Why is it important?
Metrics provide a standard for measuring the performance of governance programs and controls established to protect an organization’s assets, interests, and resources.
Why does a business professional need to know this?
Metrics help business professionals evaluate the level of performance achieved by their cybersecurity initiatives. Good metrics depend on good data and a consistent model for interpreting that data.
The foundation of good data is context, which determines the significance of a metric. For example, metrics about perimeter defenses have a different context than metrics about compliance with policies and procedures. Once the context is understood, cybersecurity specialists can identify meaningful things to measure.
Metrics can apply to anything; however, cybersecurity metrics should focus on information critical for protecting an organization: asset information, impact information, threat information, and controls information.
The effectiveness of cybersecurity metrics also depends on the model used to analyze the data. Many business disciplines use predictive models to forecast an expected outcome based on available data. Within cybersecurity, frequency distributions provide an effective model for metrics because they support observations about the effectiveness of different initiatives over time. This approach helps establish an initial benchmark that the organization can use as a reference to highlight the extent to which an initiative is successful or failing.
Example: An organization establishes a baseline with the average occurrence (mean frequency) of a successful attack = [x]. Based on risk tolerance, the stability, increase, or decrease of [x] allows the organization to measure the effectiveness of existing controls and decide what additional steps are appropriate to reduce the frequency of successful attacks.
Metrics, in and of themselves, do not prevent breaches. However, good metrics provide information to justify investment in the tools, products, and personnel needed to improve security programs. Without metrics, it is difficult for management to know where to focus resources to achieve meaningful outcomes