Information security and assurance

¶ … Metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements. & #8230; (Swanson, n.d.)

Metrics are a set of security processes that, when applied to the security system, are intended to monitor the status of the security process, identify and prevent problems, and facilitate improvement by applying corrective action. Security breaches often occur due to a mixture of defective communication protocols, lack of awareness of security procedures or recklessness, defective software designs, improper procedures, bad configurations of systems, and so forth (Pedro & Ashutosh, 2010). Organizations, such as the Trusted Computer System Evaluation Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC), Systems Security Engineering Capability Maturity Model (SSE-CMM), and the Common Criteria have, therefore, formulated a series of standards, or models, and metrics that are intended to identify and prevent problems and correct problem when occurring (Jansen (n.d.)). The models that formulate the metrics and the metrics (i.e. measurements themselves) help organizations in that they seek out security problems before occurring and address them if and when they do occur.

Models and Metrics

There is a difference between models and metrics. Models measure discrete factors of data at a single point in time and formulate theoretical or quantitative conclusions, whilst metrics are a result of the analysis and are an objective or subjective interpretations of the numerical data points (Chowdhary & Mezzeapelle, n.d.). Metrics are a derivation of the models. They are an instrument of the models and are used to apply the insights of the models to security systems doing so in a quantitative or qualitative fashion. By being applied in a practical way, they also test the instrumentality of the models and see whether the models do indeed work and if so in a replicated fashion. The different models -- with metrics as their offshoot -- are devised as a security process in order to identify security problems if and when they occur and to address them.

Security metrics can be categorized in various ways. You can either categorize them according to the maturity level of the process, i.e. metrics that are popularly and traditionally used of constructing and monitoring the system. These include security processes as well as procedures and training used when designing, configuring, operating and maintaining the system. And then there are those metrics that test for and denote the extent to which security is, or is not, present in a system. These include those that test the security posture of a system and the risk level involved (Pedro & Ashutosh, 2010).

The three main categories of models and metrics

1. Implementation models are used in connection with implementing information security programs, specific security controls, and similar policies and procedures. Operational metrics are developed from these measures and are usually quantitative in nature relating to business unit managers, security in the business unit, and security managers.

2. Effectiveness / efficacy models assess whether program-level processes and system-level security controls are used correctly and providing the desired outcome. Efficacy metrics are derived from these and ensure that the organization is run in an effective way with valuable data being safe and locked up not leaking out.

3. Business impact models are used to describe the impact of information security on an organization's goals.

Business-centric metrics are developed from these measures and are usually practical, comprehensive and analytical with the audience generally consisting of senior executives and other leading personnel (Chowdhary & Mezzeapelle, n.d.)

These are just some of the different models and metrics employed in order to safeguard data security. There are many more different quantitative and qualitative metrics that have been engineered to assess and reduce security risk. Structured as quantitative or qualitative -- meaning that some are structured according to empirical, mathematical rules (quantitative; usually from disciplines such as finance), whilst others are structured in an experiential manner derived from interviews, observation, and so forth (qualitative) -- each has its benefits and disadvantages.

Uses of security metrics and how organizations benefit from them

The benefits of security metrics fall into three broad classes:

1. Strategic support -- Security metrics help tighten the security of different kinds of organizational decision-making such as planning programs, product and service selection, and resource allocation.

2. Quality assurance - Security metrics are used during the software development lifecycle in order to prevent and screen out vulnerabilities, particularly during the code production. They do this by executing functions such as measuring the system's adherence to coding standards and identifying vulnerabilities that may exist. They also track down and analyze possible security issues.

3. Tactical oversight -- Security metrics gauge the effectiveness of security controls and mange risk, identify areas for improvement, provide a basis for trend analyzing, and monitor the security statue of an organization's it system ensuring that it complies with security standards (Jansen (n.d.)).

In all these ways (and more), metrics are used throughout all it operations of the organization in order to prevent and screen out vulnerabilities, gauge the effectiveness of security controls and mange risk, identify areas for improvement, and monitor the security statue of an organization's it system so that it complies with security standards.

Metrics benefit the security of the organization in all ways. On a micro scale (as regards the it system itself), security metrics help ensure the safety and security of the organization's it system by identifying its potential vulnerabilities and tightening or correcting those. On the macro scale, and as regards the organization as a whole, security metrics enable the organization to improve its security objectives so that no valuable data is corrupted or slips through that jeopardizes the safety of the organization.

Models and their derivative metrics should be repeatedly tested in order to ensure their reliability, namely that metrics should show constant and replicated positive results regardless of the it system that it is applied to. Metrics should also be applicable and timely.