Welcome » IT Booklets » Information Security » Security Monitoring » Condition Monitoring » Metrics
Metrics can be used to measure security policy implementation,
the effectiveness and efficiency of security services delivery, and
the impact of security events on business processes. The
measurement of security characteristics can allow management to
increase control and drive improvements to the security
Metrics may not measure conformance to policy directly.
Policies frequently are general statements that lack the
specificity necessary for measurement. Metrics generally are
formed to measure conformance to the standards and procedures that
are used to implement policies. Those standards may be
developed by the institution, developed or recognized by the
financial institution industry (e.g. BITS), or developed or
recognized for business in general. An example of the third
is ISO 17799.
The adoption of standards, however, does not mean that a metrics
system can or should be instituted. Metrics are best used in
mature security processes, when
The degree to which a security metrics program mitigates risk is
a function of the comprehensiveness and accuracy of the
measurements and the analysis and use of those measurements.
The measurements should be sufficient to justify security decisions
that affect the institution's security posture, allocate resources
to security-related tasks, and provide a basis for security-related