Understanding information security governance metrics

A metric is a measurement of a process to determine how well the process is performing. Security-related metrics indicate how well the controls can mitigate the risks. For example, a system uptime metric helps us to understand whether a system is available to the user as per requirements.

The objective of metrics

On the basis of effective metrics, an organization evaluates and measures the achievement and performance of various processes and controls. The main objective of a metric is to help the management in decision-making. A metric should be able to provide relevant information to the recipient so that informed decisions can be made.

Technical metrics vis-à-vis governance-level metrics

Technical metrics help us to understand the functioning of technical controls such as IDS, firewalls, antivirus software, and more. They are useful for tactical operational management. However, these metrics have little value from a governance standpoint.

Management is more concerned about the overall security posture of the organization. Full audits and comprehensive risk assessments are a few of the activities that help the management to understand security from a governance perspective.

Characteristics of effective metrics

Good metrics should be SMART. That is, specific, measurable, attainable, relevant, and timely. Let's look at those in more detail:

• Specific: The metric should be specific, clear, and concise.
• Measurable: The metric should be measurable so that it can be compared over a period.
• Attainable: The metric should be realistic and achievable.
• Relevant: The metric should be linked to specific risks or controls.
• Timely: The metric should be able to be monitored on a timely basis.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.8 – Key aspects from the CISM exam perspective

Questions

1. What should information security decisions be based on primarily?

   A. Market research.

   B. Predicative analysis.

   C. Industry standards.

   D. Effective metrics.

   Answer: D. Effective metrics.

   Explanation: Based on effective metrics, organizations evaluate and measure the achievements and performance of various processes and controls. Effective metrics are primarily used for security-related decision making. The other options are secondary factors.

2. Which of the following is considered to have the most important strategic value?

   A. A privileged access management process.

   B. Trends in incident occurrence.

   C. System downtime analysis.

   D. Results of penetration tests.

   Answer: B. Trends in incident occurrence.

   Explanation: Trends in incidents will be more valuable from a strategic perspective as they will indicate whether a security program is heading in the right direction or not. The other options are more of an operational metric.

3. What is the most important metric that indicates the organizational risk?

   A. The expected annual loss.

   B. The number of security incidents.

   C. The number of unplanned business interruptions.

   D. The number of open vulnerabilities.

   Answer: C. The number of unplanned business interruptions.

   Explanation: The number of unplanned business interruptions is the best indication to evaluate organizational risk by determining how much business may be lost due to interruptions. Annual loss expectancy is based on projections and does not indicate actual value. Security incidents and open vulnerabilities do not reveal impact.

4. What is the best method to determine the level of alignment of the security objectives with the business objectives?

   A. Interview the security manager.

   B. Review the capability maturity model.

   C. Review the risk assessment report.

   D. Review the business balanced scorecard.

   Answer: D. Review the business balanced scorecard.

   Explanation: Reviewing the business balanced scorecard will help to determine the alignment of the security goals with the business goals. The business scorecard contains important metrics from the business perspective. The other options do not address the alignment directly.

5. What is the most essential attribute for a metric?

   A. Metrics should be easy to implement.

   B. Metrics should be meaningful to the process owner.

   C. Metrics should be qualitative.

   D. Metrics should be able to support regulatory requirements.

   Answer: B. Metrics should be meaningful to the process owner.

   Explanation: Metrics are a measurement used to evaluate and monitor a particular process. Metrics are most effective when they are meaningful to the person receiving the information. The process owner should be able to take appropriate action based on the metrics. Metrics can be either quantifiable or qualitative based on the nature of the process. Options A and D are important, but more significant is the ability of metrics to convey meaning.

6. What is the most important attribute of a key risk indicator (KRI)?

   A. A KRI should be flexible and adaptable.

   B. A KRI should be arrived at by consistent methodologies and practices.

   C. A KRI should be easy to understand.

   D. A KRI should be convenient for the process owner to use.

   Answer: B. A KRI should be arrived at by consistent methodologies and practices.

   Explanation: A KRI will be effective only if it is arrived at by consistent methodologies and practices. In the absence of this, the KRI will be meaningless as it cannot be compared over different periods of time and hence it may not be able to indicate actual risk. Other options are good attributes but do not provide a consistent approach to determine deviation over the period.

7. What is the best indicator to determine the effectiveness of the security strategy?

   A. The strategy helps to improve the risk appetite of the organization.

   B. The strategy helps to implement countermeasures for all the threats.

   C. The strategy helps to minimize the annual losses.

   D. The strategy helps to achieve the control objective.

   Answer: D. The strategy helps to achieve the control objective.

   Explanation: The control objectives are developed to achieve the acceptable level of risk. The strategy is effective if the control objectives are met. The other options may be part of the control objectives, but the effectiveness of the security strategy is best measured by evaluating the extent to which the overall control objectives are met.

8. The information security manager has been asked to implement a particular security standard. Which of the following is the most effective to monitor this?

   A. The key success factor.

   B. The key objective indicator.

   C. The key performance indicator.

   D. The key goal indicator.

   Answer: C. The key performance indicator.

   Explanation: The key performance indicator measures how well a process is performing compared to its expectations. The key success factor determines the most important aspects or issues to achieve the goal. The key objective indicator and key goal indicator define the objective set by the organization.