IT security metrics cover a broad range of measurable features, from security audit logs of individual systems to the number of systems within an organization that were tested over the course of a year. IT security metrics measure diversified multi-dimensional data collected in real-time and analyzed. Effective IT security metrics should be used to identify security weaknesses, determine trends to better utilize security resources, and measure the success or failure of implemented security solutions. Ultimately, the metrics should help characterize an organization’s overall security posture from risk/threat/vulnerability, budgetary, and regulatory standpoints.
Ideally, metrics should be available that can measure different aspects of an organization’s IT security policies and mechanisms. For example, the results of risk assessments, penetration testing, and security testing and evaluation can be quantified and used as data sources for metrics. Security managers and system owners can use the results of the metrics-based analysis to isolate problems, justify budget requests, and target investments to areas in need of improvement, thereby obtaining the most value from available resources. Security metrics assist with determining the effectiveness of implemented security products, processes, procedures, and controls by relating results of security issues (e.g., cyber security incident data, revenue lost to cyber attacks) to organizational requirements and security investments.
This page uses content from the Information Security Guide 2 - Glossary, which is made available under the Creative Commons Attribution License 3.0 Unported.