« Keeping Your Workplace Violence Program Current | Main | Current Challenges Security Leaders are Facing »

March 21, 2019


Konrad Buczynski

Stating the obvious, this is an extremely useful initiative, one in which organisations lag globally. Alongside risk assessment, KPIs, and the benchmarking of them, are key for making the security business case.

The Australian Government released its Protective Security Policy Framework late last year, and finally moved to maturity reporting, as opposed to a focus on prescritpive compliance reporting. KPI and metrcis development and reporting is key in the new regime and is already having a positive impact, particularly in the way that people are discussing performance.

Great job, please keep it coming.

Gary Hinson

Hey George, I came to read this article, fearful that it would specify 'the top 5 security metrics'. I am relieved to see you specify a general method for determining key security metrics instead - well done sir!

I'm often asked the same thing in respect of information security or cybersecurity metrics, and I too am reluctant to specify any specific metrics because metrics are so context-dependent. The approach I recommend called GQM (Goal - Question - Metric) is eloquently described by Lance Hayden in "IT Security Metrics". It starts by clarifying and elaborating on the organization's goals in this area, then posing a bunch of questions arising, then identifying the information that would be needed to address those questions. In practice, there are so many possible metrics that a further step is needed to consider and evaluate their value, then shortlist the few that show most promise - a filtering or sifting process that systematically examines characteristics of each metric: we (Krag Brotby and I) described the process in "PRAGMATIC Security Metrics" and at http://www.SecurityMetametrics.com

The comments to this entry are closed.