JOnline: Security Metrics—A Beginner’s Guide 

Download Article

Security Metrics—A Beginner’s GuideThe challenge faced by security professionals in measuring and reporting IT security performance is very appropriately summarized by Andrew Jaquith in the forward of this book. Jaquith says, “Information security is one of those funny disciplines where the best outcome in a given day is…nothing. Nothing bad happened.”

Security metrics are important not only for claiming the optimum share of IT budget, but also for creating security awareness across the company and improving the overall security posture of the organization. Measuring security is not throwing at management numbers generated by a security tool. It is all about identifying meaningful measures and communicating them in the most effective manner to the right stakeholders. This cannot be achieved on a sustainable basis without a comprehensive security metrics program.

Security Metrics—A Beginner’s Guide by Caroline Wong helps security professionals build a security metrics program. This is a beginner’s guide, as the title suggests, though some parts are relevant even to experienced and seasoned security professionals.

The book is divided into nine parts. The first three parts establish a foundation that the later parts build upon.

The first part of the book emphasizes the importance of the security metrics program. It talks about the changing profile of a cybercriminal. A computer nerd aiming to establish his technological superiority and satisfy his ego is replaced by an organized group of criminals trying to create financial havoc or committing cyberterrorism. With cybercriminals continually adopting new technologies, security professionals need to do their best every day. An effective measurement program can equip security professionals with the right information to improve the security program.

Any security metrics program should start by identifying what to measure. The obvious answer is that security should measure what is important for the business. Ironically, however, this is not easy to establish. After establishing the importance of having a security metrics program, the book provides guidance on how to determine what should be measured.

Part four of the book elaborates on how to implement a security metrics program. It covers setting the objectives, defining priorities and obtaining buy-in from key stakeholders.

Any serious attempt at having a comprehensive security metrics program is incomplete without meaningful automation. It is simply not sustainable without automation, and automation is helpful not only in gathering the data, but also in processing and communicating the results. The book covers a range of automating options, from the most popular Excel sheet to the most advanced online analytical processing (OLAP) tools.

Another important aspect of a metrics program is communicating the results of measurement. Interpreting the results in the most meaningful manner and communicating in an effective way require analytical and presentation capabilities. While tools may help measurement and, to a certain extent, presentation, analyzing and correlating results are vital to ensuring the usefulness of a security metrics program. These aspects are adequately covered in different parts of the book.

Finally, the book covers the relationship between cloud computing and security metrics. The book also provides templates and checklists in the appendix.

The book, written in a very simple manner, is a must-read for those embarking on a journey of developing an organized and sustainable security metrics program.

Editor’s Note

Security Metrics—A Beginner’s Guide is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the Journal, visit, email the Bookstore at or telephone +1.847.660.5650.

Reviewed by Upesh Parekh, CISA, governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. Parekh is based in Pune, India, and works for Barclays Technology Centre, India. He can be reached at

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.