ASIS releases comprehensive study on the development and implementation of security metrics. Security metrics are vital, but in the field and in the literature, one finds few tested metrics and little guidance on using metrics effectively to inform and persuade senior management.
To address the gap, the ASIS Foundation sponsored a major research project designed to add to the body of knowledge about security metrics and to empower security professionals to better access and present metrics. The research involved an industry survey on the use of metrics and in-depth interviews with 16 security practitioners to gather case studies of the effective metrics they employ.
The study generated these practical, actionable products:
– The Security Metrics Evaluation Tool (Security MET), which security professionals can self-administer to develop, evaluate, and improve security metrics
– A library of metric descriptions, each evaluated according to the Security MET criteria
– Guidelines for effective use of security metrics to inform and persuade senior management with an emphasis on organizational risk and return on investment