What cannot be measured cannot be managed. This is a commonly accepted business paradigm, yet its acceptance within the security industry is not as far reaching as in other industries. Simply put, data driven security refers to using measurable factors to drive a security program. While not all elements of a security program lend themselves to measurement, many components can be measured effectively.
Metrics are critical to provide the necessary information to fully understand security issues, design effective solutions, and provide a feedback loop to evaluate program effectiveness.
The National Institute of Standards and Technology defines metrics as tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Thus, security metrics assist security professionals in making asset protection decisions through the measurement of performance based characteristics of security components. Simply stated, security metrics are tools used for measuring a company’s security posture.
Good metrics are attainable when security professionals strive for S.M.A.R.T. metrics. S.M.A.R.T. stands for Specific, Measurable, Actionable, Relevant, and Timely.
Specific – a metric must measure a specific variable.
Measurable – a metric measure what is measurable. Not all components of a security program are measurable. For example, morale among security forces is often “measured,” but would not in a quantitative manner.
Actionable – a metric should not measure variables which cannot be acted upon. If a security decision maker cannot remedy a problem, there is not much sense in wasting time on that variable.
Relevant – a metric that fails to provide any information to improve the security program should be avoided. If the metric cannot tell us where we can improve, it is not relevant.
Timely – metrics have expiration dates. Historical data is an excellent indicator of the future, however, the older the data, the less important may be. A metric system incapable of assessing the latest data is useless.
CrimeAnalysis™ is a web-based software application that identifies the threat level at each of your facilities using actual crime records from the local law enforcement agencies where your facilities are located. Security metrics generated by CrimeAnalysis™ can help you benchmark your threats, select appropriate countermeasures, and reduce risk. CrimeAnalysis™ is used by security decision makers in many types of environments including retail stores, hotels, office buildings, banks, schools, restaurants, apartments, hospitals, and many more.
CrimeAnalysis™ allows our clients to demonstrate and document due diligence efforts and realize a sizable Return on Investment (ROI). Download a case study published by ASIS-International: https://www.threatanalysis.com/SBP6CrimeROI.pdf
CrimeAnalysis™ allows our clients to:
- Identify threats to your assets
- Analyze threat patterns
- Allocate security resources based on actual threats
- Reduce vulnerabilities and risk
- Forecast future threats
- Determine high and low crime thresholds…..mathematically
- Graph and Disseminate threat data
CrimeAnalysis™ uses the Federal Bureau of Investigation’s Uniform Crime Report (UCR) coding system to develop a crime history at your facilities. This allows you to accurately compare threat levels at each facility, recognize crime patterns, calculate crime rates, forecast future crimes, and determine “normal” levels of crime. Our published methodology includes an exclusive crime verification feature which confirms crimes reported at your facilities using criminal offense reports.