« Keeping Your Workplace Violence Program Current | Main | Current Challenges Security Leaders are Facing »

March 21, 2019


Konrad Buczynski

Stating the obvious, this is an extremely useful initiative, one in which organisations lag globally. Alongside risk assessment, KPIs, and the benchmarking of them, are key for making the security business case.

The Australian Government released its Protective Security Policy Framework late last year, and finally moved to maturity reporting, as opposed to a focus on prescritpive compliance reporting. KPI and metrcis development and reporting is key in the new regime and is already having a positive impact, particularly in the way that people are discussing performance.

Great job, please keep it coming.

Gary Hinson

Hey George, I came to read this article, fearful that it would specify 'the top 5 security metrics'. I am relieved to see you specify a general method for determining key security metrics instead - well done sir!

I'm often asked the same thing in respect of information security or cybersecurity metrics, and I too am reluctant to specify any specific metrics because metrics are so context-dependent. The approach I recommend called GQM (Goal - Question - Metric) is eloquently described by Lance Hayden in "IT Security Metrics". It starts by clarifying and elaborating on the organization's goals in this area, then posing a bunch of questions arising, then identifying the information that would be needed to address those questions. In practice, there are so many possible metrics that a further step is needed to consider and evaluate their value, then shortlist the few that show most promise - a filtering or sifting process that systematically examines characteristics of each metric: we (Krag Brotby and I) described the process in "PRAGMATIC Security Metrics" and at http://www.SecurityMetametrics.com

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)