Metrics is a group of measurements that produce a quantitative picture of something over a
period of time. Metrics are specific; measurable; attainable; repeatable and time-dependent. An
important difference between metrics and measurements is that metrics utilize a baseline as a
means of interpreting the results of the measurements.
Some suggested metrics to start with:
1. Number of Successful Logons – from security audits.
2. Number of Unsuccessful Logons – from security audits.
3. Number of Virus Infections during a given period.
4. Number of incidents reported.
5. Number of security policy violations during a given period.
6. Number of policy exceptions during a given period.
7. Percentage of expired passwords.
8. Number of guessed passwords – use a password cracker to test passwords.
9. Number of incidents.
10. Cost of monitoring during a given period – use your time tracking system if you have
one.
Process Metrics —a metric that represents the maturity of a security process. They are best for
reporting to management about the quality of your security and improvements. From the above
list, #6 is the only example of a process metric.
Examples of other process metrics include:
· Percentage of passwords meeting policy.
· Percentage of exposed systems with IDS.
· Number of firewalls per exposed system.
· Number of external users.
. Number of changes on Firewalls
Security Metrics —a metric that indicates the extent a security attribute is present. They are bestfor reporting the state of security to the members of your organization, the collector metric and process implementers. The rest of the above list is examples of security metrics. You can also include the following:
· Frequency of audit reviews.
· Number of compliance with virus updates.
· Number of virus infected components.
