Security Metrics And Reporting





Ishita Mehta- (

Bhavin Desai- (

Haitham Alghamdi- (

Read more about Research Paper Writing Help for Any Student. Feel free to order your paper from Essays-Services and forget about your worries.

Khaled Alomari- (

Khalid Jarrah - (

Date: 02/05/2013


Security Metric can be explained by the following definition Metrics is a reference based measure that involves two points minimum that are the measure and the reference. Security generally means the protection and prevention of danger. As a result, security metrics denotes a state or level of safety in relation to a reference point and states the steps to be taken in order to avoid danger. IT organizations usually have a significant storage of statistical data that is kept in the form of log files and dashboards in some cases. The information inside them has to be data mined and prepared for the usage at the enterprises and must follow the requirements and measurements. The above mentioned factors determine security metrics. As it was mentioned by Jaquith (2007), The leading goal of metrics is to quantify data to facilitate insight. Some security metrics advantages are listed below: [58]

Security metrics can be used to help in communicating of performance.

Security metrics will lead to the improvement of performance.

Security metrics defines the effectiveness of IT controls work.

Security metrics helps in diagnostics of problems.

Security metrics supports effective process of decision-making.

Security metrics increases accountability.

Security metrics can be used in guidance of investments.

Security metrics is used for demonstration of state of compliance.

Security metrics can make benchmark comparisons easier.

Good metrics alleviates discussion, insight and analysis, by Jaquith. All the good metrics have the same or similar characteristics. Good metrics are:

Essential for satisfaction of specific requirements of business solutions.

Sequentially measured.

Have inexpensive production.

Have to render quantitative information.

Using at least one unit of measure expression.

Measuring only repeatable information of security processes.

Have specific context.

Metric and Measurement

Metric means some simple ways and standards of measurement. Metric is meaningless if separated from the term measurement and calculus. Metrics are a result and Measurement is an action. Metrics are regulations of measurement, and measurement is the quantitative comparison of things, in relation to the standards, as a rule. [59]

The Security Project Management Framework has security metrics, projects of security measurement, and the security improvement program. This is embodied in the schematic system below: [59]



The table below includes the information about the ways in what security measures can be used to investigate success in overall risk management, legal compliance, loss prevention, loss control, and loss financing.

Table 13: Security Measures

Risk Management Component

Security Metrics [200]

Risk Assessment

The level of high vulnerability risks that are possible during the specific time periods after discovery determined by the company.

Percentage of not trustworthy activities detected.

Percentage of systems that have to be tested

Percentage of effective changes that were successfully applied.

Percentage of softening of risks during specific period.

Percentage of risks and liabilities accepted by the third party.

Percentage of costs determined for the solutions of risk management politics.

Percentage of hazards that can be caused by human resource.

Percentage of traffic of harmful and potentially dangerous information.

Percentage of theft that is solved, prevented, or stopped.

Percentage of costs provided for the longevity of business.

Percentage of solved hardware issues and problems.

Percentage of the updates and patches used for the system with lower rates of failures.

Percentage of SLA with the providers.

Legal Compliance

Percentage of enforced and implemented structures.

Percentage of detected and reported law breaches.

Percentage of laws breached during specific period of time.

Percentage of reported violations of rules.

Percentage of policies and standards amenable for the organization.

Percentage of frequency of audits compliance of organization.

Percentage of systems that are susceptible to the certification policies.

Percentage of compliance with the State, Federal, and International standards and laws during certain period of time.

Percentage of accordance to the standards and policies of RIT community.

Loss Prevention

Percentage of costs and resources for the information security system.

Percentage of people trained for security keeping.

Percentage of attacks which were a success in past and can be now prevented.

Percentage of cryptographic encryption algorithms used by the systems.

Percentage of the regularly updated and patched systems.

Percentage of the systems that have been accredited prior to their implementation.

Percentage of the certified before implemented systems.

Percentage of authenticated people that have an access to the system authorization.

Loss Control

Percentage of viruses, bugs, rabbits, and malwares diagnosed and cured during specific period.

Percentage of successful removal of detected viruses, malwares, etc.

Calculate Mean Time To Repair (MTTR) for recovering accidents of data loss.

Percentage of systems that implements contingency, as well as redundancy plans during regular periods.

Percentage of units that use disaster recovery and backup plans in case of failure to recover the data.

Percentage of network attacks softened by network security appliances like IDS, firewall, etc.

Loss Financing

Loss Financing is generally covered by insurance from third party.

Percentage of costs reserved for third party for outsourcing companys commitments.

Percentage of obligations taken by an organization in case of unpredictable circumstances.

Percentage of finance and resources kept in reserves so as to recover from losses during crisis or crucial time.


There are various solutions as for the reporting of security metrics to the management and administration. They include the following steps:

1. Help in Communicating Performance [58]: Produce quantitative effectiveness of security processes and presenting the information in an easy way so that the information would be available for the management and make the communication easier and faster.

2. Help Drive performance improvement [58]: Security metrics can be quantified and produce a visible effect of the work done by the professional security managers. With visibility comes understanding and trust of people within the organization. The mutual trust and feeling of protection leads to the increased level of work performance and quality.

3. Measure the effectiveness of the IT controls [58]: Metrics makes it possible to measure and evaluate the controls. It makes the system of evaluation clear and understandable. The head manager can see the work performed and discuss the successful and failed measures, as well as plan the future actions for preventing the malware infections and attacks.

4. Help to diagnose problems [58]: Security metrics helps to deliver the fast analysis of the system work processes and diagnose problematic zones. Moreover, it can point to the weakest divisions and plan further actions for them.

5. Provide effective decision making support [58]: Security metric assists in finance planning and justification, as well as it helps in making the data-based decisions.

6. Provide increased Accountability [58]: Security metrics can be quantified and evaluated. The evaluated results can be compared to other results of other organization that were received during the previous time periods. The progress or degradation of the results can significantly increase the motivation of workers and will lead to the progress of the system in general.

7. Guide resource allocation [58]: Security metrics can be quantified and give objective measurements. This can direct the administration to the right resources that need some financial aid.

8. Demonstrate the state of compliance [58]: Demonstrating compliance with security policies or governance framework becomes easy with the help of metrics. This is because the stakeholders can have monthly report card which will drive them to achieve their compliance goals.

9. Facilitate benchmark comparisons [58]: A well-structured security metric program allows the officials to compare the security program with other organizations in the industry or the sector.


Security Metrics can be presented graphically and in the form of slides to make the information more understandable and systematized while demonstrating to the senior management and governance organizations. Security metrics are quantifiable and objective results view. Thus, they must be presented in the most eye-catchy and good looking way to be interesting and informative at the same time. This is one of the ways to present these security metrics to senior management and governance organizations. The following bar graph states the Security Awareness over the period of two years.


Fig: Security Awareness [60]

Thus, the main target is getting the most helpful information from the generated metrics so that it would become possible to modernize the organizations security program and equipment. Such measures lead to the prosperity of the organization.


[1] 58

[2]IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data

by Lance Hayden 59

[3]Whitman, M. E., & Mattord, H. J. (2011). Management of information security. Third Edition. Course Technology. 200

[4] 60

Related essays