Information Security Metrics

There could be varying types of metrics gauging the performance of information security posture for an organization. For instance, on a very high level a CSO need know what’s the time-to-detection and time-to-remediation of security threat (Kushto, 2018). Time-to-detection highlights how much time was elapsed when threat was introduced to the network and when it was finally detected. Similarly, time-to-remediation defines the time taken by CSO organization to resolve the issue completely (2018).

Berinato (2005) outlined some metrics which can be used to gauge the day to day readiness of company’s IT infrastructure to deter cyber security threat. For instance, defense coverage metric which include antivirus, antispyware, firewall etc. give a view of protected IT assets of the company. Another metric is patch latency, which defines the time between the patch was released and successfully deployed across all machines. Platform compliance encompass if there are machines with ports left unnecessary open etc. Trend of email traffic analysis also help in gauging if there is a sudden surge in junk and spam emails which can increase the risk of security breach (2005). Other secondary metrics can track number of systems with known vulnerabilities, number of SSL certificates configured incorrectly, corporate volume of daily data transfer, number of users with administrative or super access and so on.

Above highlighted metrics shows the readiness of corporate IT infrastructure in the event of security event. However, from the day-to-day perspective couple of key metrics can identify if the security posture of company has indeed compromised. One of the metric is the trend of security event recorded on an hourly level and later aggregated at daily, weekly and monthly level (Rhodes-Ousley, 2013). This metric in business-as-usual situation, sets the baseline of security situation. If suddenly number of security incidents increase than immediate attention is required to neutralize the threat as quickly as possible. Another metric is number of attacks blocked using already deployed defense mechanisms like firewall, antivirus, antimalware etc. Trend of this metric will also help in catching anomalies if suddenly there is a surge in blocked incidents (viruses, malware etc.), this can potentially show that corporate infrastructure is under attack and security measures might need a review (2013). Change in network traffic traversing through ingress and egress points of corporate network can also highlight potential security condition requiring attention.

References:

Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY

Berinato, S. (2005). A few good information security metrics. Retrieved from https://www.csoonline.com/article/2118152/metrics-budgets/a-few-good-information-security-metrics.html

Kushto, 2018. Security metrics you need for the board. Retrieved from https://www.csoonline.com/article/3280966/metrics-budgets/security-metrics-you-need-for-the-board.html