Security Performance Metric Development presented at AUScert 2009

by Andrew Collins, Matthew Brunckhorst,

Summary : With continuing budget cuts within the Federal Government, this presentation discusses replacing fear, uncertainty and doubt or worse, the backdated threat & risk assessment; with rigorous, business focused security performance metrics aimed at measuring the effectiveness of IT security budgets.
The presentation will discuss approaches and recent developments regarding security metric development, specifically:
Why security metrics are needed: Looking at how security budgets are typically allocated based on a percentage of the total IT budget and how these figures are generated. The presentation will challenge a number of these ‘truths’ and identify where assumptions and guesses have become self-fulfilling ‘facts’. This presentation will identify why this approach is ill founded and why metrics provide a justifiable case for business expenditure on security.
Defining Metrics: What makes a good metric, definition, capture, and presentation of various metrics. A discussion on their effectiveness and relevance. What makes a bad metric, and what measures are misconstrued as metrics.
Measuring Effectiveness: Measuring security effectiveness against ISM standards and against business objectives.
Identifying Efficiencies: Security metrics need to be aimed at improving the business by identifying where systems can be consolidated, re-deployed or removed or where business processes can be changed to better utilise staff.
NOTE: This presentation is vendor agnostic and discusses metric development in a generic sense.