ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > A Healthy Way to Think of Metrics

A Healthy Way to Think of Metrics

Julio Pontes, CISM, BS7799LA, CCSK, CISSP
| Published: 11/26/2018 3:01 PM | Category: Security | Permalink | Email this Post | Comments (3)

Julio PontesHealthcare has many parallels with information security since both are based on prevention, monitoring, diagnosis and correction to avoid negative results. If medical success, however, were measured only by prevention of death, doctors would be the worst professionals in the world. After all, we are all going to die one day.

Moreover, if we take that same rationale for information security and measure its success or failure only through incident prevention, we will see some successes, but, eventually, there may be failures, perhaps catastrophic. Does this sound familiar?

Instead of waiting for these extreme results, we must track indicators (or risk factors) that can positively affect our situation. AS in healthcare, there are risk factors beyond our control, such as gender, age and family history, and behavioral factors that can have a significant impact on our health, including diet, physical activity level and use of tobacco products. 

Some decisions about which risk factors to address have already been made in your organization—if not scientifically, at least through common sense. The decisions to implement any defensive technology such as firewalls, antivirus software or web filtering were made based on the risk factors inherent to your business—in most cases, to act on something that you cannot control (threats).

So, what should you measure to improve the health of your information security? Although the evidence may not be as conclusive as in the case of healthcare, there are many good sources of good practice provided by ISACA® and groups such as SANS, the US National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The most important thing is to pay special attention to the factors you can control: the processes in place and, in particular, the management of the technologies you have already implemented.

To continue the analogy with healthcare, this can be compared to physical exercise and heart disease: It may not be easy to get off the couch, but the risk of not doing so is high and the benefits are proven. However, measuring these indicators alone will not protect you. We need to cultivate good behaviors—in other words, choosing to "get off the couch" and apply good security management practices (factors that you can control) will have a dramatic effect on your organization and your health as well.

Read Julio Pontes’ recent Journal article:
Automation, Governance and Security in a Software-Defined World,” ISACA® Journal, volume 6, 2019.

Comments

Re: A Healthy Way to Think of Metrics

InfoSec metrics is more complex to solve. Hospital knows how many Patient saved vs patient visited? has someone discovered efficient answer to gather InfoSec metrics which are industry agnostic?
Nitin548 at 11/27/2018 7:24 AM

Re: A Healthy Way to Think of Metrics

Hi Nitin,

Both are preety complex, we just got more used to health related metrics.  The main idea is finding and measuring risk factors before getting undesirable outcomes.

In your example, "patient visited" doesn´t look like as good as
"blood pressure" and "heart rate" to be mesured to save a patient´s life. In InfoSec you need to select relevant metrics as well, such as: "# of unpatched systems", "mean time to respnd to an incident", etc.

There is a lot of agnostic material on infosec metrics. You can find good sources information on ISACA online library. There is also a good document on what to measure at:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-55r1.pdf

Another important thing about infosec metrics (as in healthcare) is that they must capture "efectiveness", not only "effort". Just visiting patients is not enough to save them. We need to think of how visiting patients impacts on reducing the risk factors. :) It is a best way to save our assets/data (and our jobs also)



jpontes at 11/27/2018 8:10 PM

Re: A Healthy Way to Think of Metrics

Hi Nitin,

Both are preety complex, we just got more used to health related metrics.  The main idea is finding and measuring risk factors before getting undesirable outcomes.

In your example, "patient visited" doesn´t look like as good as
"blood pressure" and "heart rate" to be mesured to save a patient´s life. In InfoSec you need to select relevant metrics as well, such as: "# of unpatched systems", "mean time to respnd to an incident", etc.

There is a lot of agnostic material on infosec metrics. You can find good sources information on ISACA online library. There is also a good document on what to measure at:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-55r1.pdf

Another important thing about infosec metrics (as in healthcare) is that they must capture "efectiveness", not only "effort". Just visiting patients is not enough to save them. We need to think of how visiting patients impacts on reducing the risk factors. :) It is a best way to save our assets/data (and our jobs also)



jpontes at 11/27/2018 8:10 PM
Email