Governance of Information Security Metrics Do Not Necessarily Improve Security Research Paper

Download this Research Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Research Paper:

Security Metrics

Governance of Information Security: Why Metrics Do Not Necessarily Improve Security

The objective of this study is to examine the concept that the use of various Metrics has tended to improve security however, Metrics alone may not necessarily improve security. This study will focus on two well-known metrics.

The work of Barabanov, Kowalski and Yngstrom (2011) states that the greatest driver for information security development in the majority of organizations "is the recently amplified regulatory environment, demanding greater transparency and accountability. However, organizations are also driven by internal factors, such as the needs to better justify and prioritize security investments, ensure good alignment between securities and the overall organizational mission, goals, and objectives, and fine-tune effectiveness and efficiency of the security programs." (p.1)

It is reported that a survey conducted by Frost and Sullivan demonstrated "that the degree of interest in security metrics among many companies (sample consisted of over 80) was high and increasing (Ayoub, 2006); while, in a global survey sponsored by ISACA, dependable metrics were perceived to be one of the critical elements of information security program success by many security professionals and executives, though, they were also deemed difficult to acquire (O'Bryan, 2006)." (Barabanov, Kowalski and Yngstrom, 2011, p.2)

In addition, it is reported that the focus on governance includes a "need for proper measurement and reporting on all the echelons within the organization, starting at the highest level. Another survey instigated by ISACA showed that organizations that are missing an information security governance project had identified metrics and reporting as the areas in their information security programs where the lack of quality was most noticeable." (Barabanov, Kowalski and Yngstrom, 2011, p.2) Barabanov, Kowalski and Yngstrom report that the correlation reported in their study highlights the requirement of recognizing "that measurement and reporting are connected with management on all organizational levels." (Barabanov, Kowalski and Yngstrom, 2011, p.2)

I. Defining Metrics

There is reported to be a great deal of ambiguity in relation to the precise definition of the term metric or 'security metric' according to Barabanov, Kowalski and Yngstrom (2011) since the terms "security metric and measure tend to be used interchangeably." (p.3) Definitions that have been proposed are stated to include those as follows:

(1) measure - A variable to which a value is assigned as the result of measurement where measurement is defined as the process of obtaining information about the effectiveness of Information Security Management Systems (ISMS) and controls using a measurement method, a measurement function, an analytical model, and decision criteria (ISO/IEC, 2009a).

(2) (IS) Measures - the results of data collection, analysis, and reporting, which are based on, and monitor the accomplishment of, IS goals and objectives by means of quantification (Chew et al., 2008).

(3) Metric - a consistent standard for measurement, the primary goal of which is to quantify data in order to facilitate insight (Jaquith, 2007)

(4) Metric - a proposed measure or unit of measure that is designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant data (Herrmann, 2007).

(5) Metrics - broad category of tools used by decision makers to evaluate data. A metric is a system of related measures that facilitates the quantification of some particular characteristic. In simpler terms, a metric is a measurement that is compared to a scale or benchmark to produce a meaningful result (McIntyre et al., 2007).

(6) Security Metrics - the standard measurement of computer security (Rosenblatt,2008).Although the specifics of the different definitions are subject to some variation, certain common characteristics generally emerge. (Barabanov, Kowalski and Yngstrom, 2011, p.20)

Primarily, metrics and measures are "considered to be measurement standards that that facilitate decision making by quantifying relevant data, where measurement refers to the process by which they are obtained. " (Barabanov, Kowalski and Yngstrom, 2011, p.20)

Stoddard, et al. (2005) reports that the term metrics "…describes a broad category of tools used by decision makers to evaluate data in many different areas of an organization. In its simplest form, a metric is a measurement that is compared to a scale or benchmark to produce a meaningful result." (p.3)

II. Characteristics of Good Metrics

The characteristics of good metrics is reported to include the following:

(1) Metrics should measure and communicate things that are relevant in the specific context for which they are intended, and be meaningful (in both the content and the presentation) to the expected target audience.

(2) The value of metrics should obviously not exceed their cost. Measures should be cheap/easy enough to obtain so that potential inefficiencies of data collection do not pull the resources needed for subsequent stages of measurement or in other parts and functions of the organization.

(3) The timeliness and frequency of measurement has to be appropriate for the rate of change of the targets of measurement so that the latency of metrics does not defeat their purpose. It should also be possible to track changes over time.

(4) Good metrics should ideally be objective and quantifiable. This implies that they have to be derived from precise and reliable numeric values (and not qualitative assessments, which have potential for bias), and likewise be expressed by using readily understood and unambiguous units of measure; and (5) Metrics have to be consistently reproducible by different evaluators under similar circumstances and, therefore, a sufficient level of formality is expected from the defined measurement procedures. (Barabanov, Kowalski and Yngstrom, 2011, p.21)

The majority of these characteristics can be realized through "a high degree of standardization and, wherever possible, automation of the measurement related processes." ( )

III. Dimensions of Metrics

Various dimensions of metrics exist including the following stated dimensions:

(1) Governance, Management. And Technical;

(2) Management, Operational, and Technical;

(3) Organizational, Operational, and Technical

(4) Program Development, Support, Operational, and Effectiveness

(5) Organizational and Performance, Operational, Technological, Business Process, Business Value, and Compliance

(6) Implementation, Effectiveness and Efficiency, and Business Impact. (Barabanov, Kowalski and Yngstrom, 2011, p.16)

For the purpose of this study, the metrics focused on in this study are those of (1) governance and (2) technical metrics.

IV. Governance Metrics

Governance metrics are those "that address the responsibilities of the Board of Directors or Trustees and associated controls." (Barabanov, Kowalski and Yngstrom, 2011, p.5) Technical metrics are those that "deal with controls contained within and executed by and IT environment." (Barabanov, Kowalski and Yngstrom, 2011, p.5) Metrics are reported to be separated into three different subsets including: (1) All or complete set of metrics established in the report and which are used as a reference and likely to be impractical for implementation in its entirety; (2) baseline or the minimum required set of metrics for use as a starting point for a metrics program that is more comprehensive; and (3) SME or metrics that are suitable to be implemented in both small and medium organizations. (Barabanov, Kowalski and Yngstrom, 2011, p.6)

The work of Pironti (2008) reports that key to effective governance is "meaningful understanding of business effectiveness," the "ability to measure processes for constant improvement," and "early warning radar for threats and vulnerabilities." (p.1) Business aligned knowledge is stated to be a great benefit in reporting to management and business and that business and security intelligence includes: (1) trend analysis; (2) anomaly detection; and (3) threat intelligence. (Pironti, 2008, p.1)

Metrics are reported to include those that are 'subjective' and those that are 'objective'. Subjective metrics include those that are "powerful and harmful," those that are 'high risks," those that are "hard to substantiate" and the one cited as the best and worst indicator or that of human intuition. (Pironti, 2008, p.2) Objective measures are those, which are "low risk, supported by data, and able to be recreated." (Pironti, 2008, p.3) Key performance indicators include those which are business aligned quantitative and qualitative measures or the success or failure of "processes, personal, technology, and organizational effectiveness" as well as those which serve to "enable continuous improvement and facilitate effective governance." (Pironti, 2008, p.3)

It is necessary to define what it is that is being measured, what the business value of measurement is and the thresholds that should be established including "positive and negative boundaries, realistic goals and range of values." (Pironti, 2008,p.4) Data for metrics can be gathered through electronic methods and non-electronic methods. Electronic methods include such as system logs, automated system monitoring and sensor networks. Non-electronic methods include such as statistical tracking, human feedback, business process monitoring and business reporting. (Pironti, 2008, p.4)

Business goal alignment includes the defining of required measures and the mapping of business processes to define metrics as well as understanding the motivation for the metrics. (Pronto, 2008, paraphrased) The baseline framework of metrics is inclusive of "people, processes, procedures, technology and compliance" and include value provided vs. The cost including monetary impact, the cost of labor the addition of complexity and the impact on user experience. (Pronto, 2008, p.4 )

Governance metrics are inclusive of employee performance, budget accuracy, and communication capabilities. Stoddard…[continue]

Cite This Research Paper:

"Governance Of Information Security Metrics Do Not Necessarily Improve Security" (2012, September 28) Retrieved December 6, 2016, from

"Governance Of Information Security Metrics Do Not Necessarily Improve Security" 28 September 2012. Web.6 December. 2016. <>

"Governance Of Information Security Metrics Do Not Necessarily Improve Security", 28 September 2012, Accessed.6 December. 2016,

Other Documents Pertaining To This Topic

  • Metrics Implementation and Enforcement Security Governance

    Metrics, Implementation, and Enforcement (Security Governance) How can you determine whether there has been a malware outbreak? The threat situation today has become more dangerous than in the past. Security and safety threats have been increasing in an alarming rate; there are more than 70,000 brand new bits of malware recognized daily. Well-funded cybercriminals have been currently making advanced malware that has been made to bypass present security options by launching prior

  • Lufthansa Structure and Governance Performance and Competition

    Lufthansa Structure and Governance. Performance and Competition. Five-force analysis. Lufthansa is one of the oldest and most successful commercial airlines in the world, and is the fourth-largest in terms of passengers. However, the company has not always been so successful, and in fact was teetering on the brink of bankruptcy just a short while ago. By examining Lufthansa's history, structure, governance, and contemporary strategies and goals, one is able to see how the company

  • Diffusion of Product Innovation Through

    Moreover, CoPs develop their practice through improving the diffusion of innovation within their active networks; the benefits of such interactions are countless especially in the field of healthcare. One can assume that specialty doctors' communities would present the perfect example for CoPs because they share the same practice, interest and professionalism. It would be interesting to study if those CoP networks exist in United Arab Emirates, whether they are active

  • Open Economy a Closed Economy

    Based on the findings then, it is important for the Army National Guard to develop its infrastructure so that it responds to the KM needs. At the second level, the ARNG has to align its scopes and objectives with the knowledge management effort. At this stage, the risk resides in the inability to understand and apply knowledge management in the military setting. In order to overcome this, the company

  • Principal Agent Model in Economics and Political Science

    Principal-Agent Model in Economics and Political Science The international political perspectives of free trade A Global Analysis International Trade Impact on Tunisia The Export of agricultural products International trade and development of Tunisia Balance in the Trade Regime Imports and exports of Tunisia Exports Imports Coping With External and Internal Pressures The Common External Tariff (CET) Safeguard Measures Anti-Dumping Duties (ADDs) and Countervailing Duties (CVDs) Rules of origin The New Commercial Policy Instrument Sector Based Aspects GATT/WTO's Main Principles Non-discriminatory trade Multilateral negotiation and free trade The Trading Policies

  • Environmental Issues Faced in 21st Century Aviation

    Environmental Issues Faced in 21st Century Aviation Reducing Communication and Coordination Tools and Metrics Technology, Operations and Policy Demand Aviation and the Environment Effects on the health Local Air Quality Climate Change Total Climate impacts from aircraft Interdependencies Mobility, Economy and National Security Interactions between Government, Industry and Groups Aviation Greenhouse Gas Emissions Economic Impact SPCC Regulations Local Airport Issues De-icing Fluids A Framework for National Goals Realities and Myths Metrics Recommended Actions Environmental Issues Faced in 21st Century Aviation Environmental awareness in regards to 21st century aviation among the public and politicians has

  • Wal Mart Case Study Wal Mart Faces

    The Price-Sensitive Affluents, Wal-Mart has learned (Wal-Mart Annual Reports) is more interested in finding an exceptionally good deal and not necessarily concerned about the shopping experience. This is particularly true as one of the strongest factors influencing the execution of their strategy, the emerging global recession during this timeframe, takes hold. Again as with the Price Value Shopper and the paradoxical purchasing patterns of the Brand Aspirational segment show,

Read Full Research Paper
Copyright 2016 . All Rights Reserved