Professional Documents
Culture Documents
Introduction: How To Use This Spreadsheet: Security Metrics"
Introduction: How To Use This Spreadsheet: Security Metrics"
Introduction: How To Use This Spreadsheet: Security Metrics"
The tables in this spreadsheet illustrate the metrics scoring process described by Krag Brotby and Gar
Security Metrics".
This spreadsheet is provided as a tool to accompany and illustrate the concepts laid out in depth in the
The spreadsheet alone is not sufficient for you to choose suitable information security metrics, n
measurement system. The book describes a rational process to score, rank and shortlist candidat
goes on to cover the complexities of designing, using and maintaining a metrics system. In particula
thinking behind the PRAGMATIC scoring criteria, and hopefully to appreciate the reasons why we ha
stated herein.
The example metrics and their PRAGMATIC scores in this spreadsheet are purely illustrative, demo
PRAGMATIC scoring process in practice. In determining the scores, we have made lots of assumpti
be viewed by management in a fictional generic mid-sized commercial organization, "ACME Inc
discussing them and resolving our differences (mostly!). The PRAGMATIC scores make sense to u
free to disagree with us. Seriously, consider and challenge these examples, preferably in conjunctio
we insist.
Do not rely solely on these example metrics or the scores, not even if you happen to wor
commercial organization and agree 100% with us, which is highly unlikely. Don't just meekly swallow
Develop a set of candidate information security metrics and score them in your own specific organ
creative. Develop your own metrics, and steal good metrics ideas from wherever you find inspiratio
field). Use whatever structures make sense to you. Discuss, score and refine the scores with your pe
colleagues. Argue about them. Get passionate about information security and metrics. Benefit as m
process as from the output. We hope you'll enjoy the game even more than the final result.
Using this spreadsheet and the example metrics simplistically without the broader context from th
inefficient and ineffective, and may well harm rather than help your information security. Read the
systematic view of your security metrics, specifying metrics that are useful at your current sta
improvements to your information security arrangements. The systematic aspect goes beyond simply
There are maturity and other factors to consider. Trust us, this is not nearly as easy as it appears. Us
Management/governance metric
8.13 Psychometrics
IT security metric
S/M/O P R A G M .A T I
Note
.
S/M/O P R A G M .A
.
T I
Note
“It’s the way we’ve always done it: put the pink
copy in the green file …"; gathering the data SM 85 88 85 80 84 75 22 62
has spin-off benefits
S/M/O P R A G M .A .
T I
Note
Information asset owners are accountable for
their adequate protection; orphaned asets are M 85 90 97 90 90 95 85 99
less llkely to be properly secured
S/M/O P R A G M .A
.
T I
Note
S/M/O P R A G M .A
.
T I
Note
Virtually all the power ends up as heat, so it is
important to track power comsumed against the O 81 69 89 92 80 99 98 90
air conditioning capacity
S/M/O P R A G M .A
.
T I
Note
S/M/O P R A G M .A .
T I
Note
A 'heartbeat' metric: the sudden unexpected
lack of data from a system is probably a O 87 88 94 93 93 94 97 89
security incident
S/M/O P R A G M .A
.
T I
Note
S/M/O P R A G M .A .
T I
Note
S/M/O P R A G M .A
.
T I
Note
92 86%
90 85%
95 83%
22 69%
52 68%
50 60%
10 59%
42 58%
40 58%
45 55%
22 41%
94 40%
7 6%
C Score
90 88%
88 85%
85 85%
60 84%
81 77%
85 76%
78 75%
80 73%
75 72%
84 72%
89 72%
41 65%
34 64%
35 53%
12 51%
C Score
95 91%
80 89%
90 87%
99 85%
75 72%
70 72%
35 72%
79 69%
39 69%
40 68%
95 68%
20 64%
43 63%
37 62%
59 62%
23 62%
88 60%
88 58%
88 58%
90 58%
80 57%
30 56%
91 55%
27 53%
45 52%
22 38%
30 35%
88 16%
C Score
90 91%
90 86%
80 82%
82 76%
70 69%
26 51%
44 48%
C Score
90 86%
75 78%
91 69%
50 62%
70 58%
20 55%
44 55%
10 52%
95 38%
10 37%
20 36%
5 35%
5 30%
C Score
98 88%
90 86%
60 78%
55 75%
42 62%
66 41%
31 29%
C Score
90 86%
70 80%
80 73%
47 73%
36 72%
83 72%
60 63%
34 59%
60 55%
19 55%
42 46%
40 41%
5 37%
67 23%
78 15%
17 9%
0 0%
C Score
79 90%
90 86%
80 71%
75 67%
11 61%
20 59%
40 50%
42 47%
50 44%
33 37%
C Score
90 86%
60 76%
20 73%
10 73%
50 59%
50 58%
20 56%
10 50%
20 49%
C Score
90 86%
60 74%
65 62%
40 55%
55 49%
50 49%
42 33%
17 31%
C Score
88 89%
90 86%
75 85%
90 84%
93 80%
60 80%
89 77%
29 75%
40 72%
70 72%
33 45%
C Score
90 86%
88 86%
36 77%
60 74%
65 68%
88 68%
70 62%
17 61%
30 60%
10 57%
33 57%
87 54%
6 49%
35 46%
30 45%
12 33%
Example information s
ranked by PRAGMATIC s
34 14.7 Uptime
“It’s the way we’ve always done it: put the pink
copy in the green file …"; gathering the data has SM 85 88 85 80 84 75 22
spin-off benefits
Measure the completeness, accuracy and
MO 82 66 83 78 80 43 50
up-to-date-ness of the inventory
79 95 91%
99 90 91%
89 79 90%
80 88 89%
93 80 89%
92 90 88%
90 98 88%
85 90 87%
87 90 86%
85 90 86%
85 90 86%
85 90 86%
85 90 86%
85 90 86%
85 90 86%
85 90 86%
84 92 86%
87 88 86%
85 90 86%
83 90 85%
85 75 85%
82 88 85%
84 85 85%
97 99 85%
90 60 84%
68 90 84%
90 95 83%
80 80 82%
77 93 80%
81 60 80%
78 70 80%
48 75 78%
83 60 78%
47 89 77%
60 81 77%
96 36 77%
55 60 76%
65 85 76%
94 82 76%
64 29 75%
61 78 75%
75 55 75%
75 60 74%
89 60 74%
80 20 73%
80 80 73%
82 10 73%
60 80 73%
50 47 73%
40 40 72%
86 84 72%
75 75 72%
75 75 72%
90 70 72%
88 36 72%
69 83 72%
70 35 72%
70 70 72%
90 89 72%
70 80 71%
80 79 69%
60 22 69%
62 39 69%
66 70 69%
80 91 69%
67 65 68%
89 88 68%
85 52 68%
70 40 68%
95 95 68%
52 75 67%
88 41 65%
90 34 64%
16 20 64%
95 60 63%
65 43 63%
40 70 62%
65 65 62%
60 42 62%
40 37 62%
49 59 62%
50 50 62%
98 23 62%
66 17 61%
61 11 61%
60 88 60%
60 50 60%
34 30 60%
35 50 59%
38 10 59%
50 20 59%
79 34 59%
36 50 58%
25 70 58%
60 88 58%
61 42 58%
60 88 58%
70 40 58%
60 90 58%
65 10 57%
76 33 57%
15 80 57%
80 20 56%
40 30 56%
16 40 55%
65 45 55%
45 60 55%
90 91 55%
33 19 55%
75 20 55%
83 44 55%
87 87 54%
50 35 53%
31 27 53%
45 10 52%
44 45 52%
22 26 51%
43 12 51%
20 40 50%
48 10 50%
60 20 49%
40 55 49%
20 6 49%
70 50 49%
87 44 48%
22 42 47%
34 42 46%
76 35 46%
81 30 45%
43 33 45%
2 50 44%
45 66 41%
14 40 41%
36 22 41%
82 94 40%
45 95 38%
30 22 38%
40 10 37%
35 33 37%
8 5 37%
57 20 36%
40 30 35%
10 5 35%
9 42 33%
46 12 33%
20 17 31%
42 5 30%
18 31 29%
26 67 23%
18 88 16%
5 78 15%
4 17 9%
1 7 6%
0 0 0%
This spreadsheet is protected internationally by copyright law.