Source: SANS Institute
This paper covers the basic aspects of security metrics. If you are interested in learning more about information security metrics and auditing, we recommend taking the SANS SEC410 IT Security Audit & Control Essentials course, available both online and via live classroom training. The pressure is on. Various surveys indicate that over the past several years computer security has risen in priority for many organizations. Spending on IT security has increased significantly in certain sectors -– four-fold since 2001 within the federal government alone.1 As with most concerns that achieve high priority status with executives, computer security is increasingly becoming a focal point not only for investment, but also for scrutiny of return on that investment. In the face of regular, high-profile news reports of serious security breaches, security managers are more than ever before being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Some experts believe that key among these should be security metrics.2 This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.
Read the full pdf document here.