Metrics

Top Ten Strategic Security Metrics

by  •  • 8 Comments

Last week at the Burton Group conference I presented on the Top Ten Strategic Security Metrics. It is really interesting to see the reactions I get from people about these. Some security professionals get really excited about them while others think they are pie-in-the-sky. Rest assured, that even though these are strategic metrics, they have detailed grounding in operational metrics. That is the true value of the metrics – they bridge the gap.

Anyway, here they are:

  1. Transaction Value (TV) – (Total Value of IT and Information Assets $ / Total
    Transactions)
  2. Transaction Cost (TC) – (Total Cost of IT and Information Assets $ / Total
    Transactions)
  3. Controls per Transaction (CPT) – (Total Number of Inline Control Events /
    Total Transactions)
  4. Cost per Control (CPC) – (Total Cost of Control $ / Total Number of Inline
    Control Events)
  5. Security to Value Ratio (STV) – (Total Security Costs $ / Total Value of IT
    and Information Assets $)
  6. Loss to Value Ratio (LTV) – (Total Losses $ / Total Value of IT and
    Information Assets $)
  7. Control Effectiveness Ratio (CE) – ((Good Allowed Control Events + Bad
    Denied Control Events) / Total Number of Inline Control Events)
  8. Incidents per Million (IPM); Incidents per Billion (IPB) – ((Total Number of
    Incidents / Total Transactions) x One Million or Billion)
  9. Incident Prevention Rate (IPR) – (1 – (Total Incidents / (True Positives +
    Total Incidents)))
  10. Risk Aversion Ratio (RAR) – (False Positives / Total Incidents)

If you are a practicing enterprise security professional and would like further details, feel free to send me an email and I’d be happy to share the research report that goes along with it.

8 comments for “Top Ten Strategic Security Metrics

  1. Sajeev Nair
    July 2, 2008 at 3:32 am

    Hi,

    These are very good metrics, appreciate if you could share the report.

  2. Christian
    July 2, 2008 at 7:23 am

    Hey,

    Would love to see the associated report.

    Regards,
    Christian

  3. James
    July 3, 2008 at 4:52 am

    I have read your post “Top Ten Strategic Security Metrics”. The information stirred my interest in the report you offered. Can you kindly share that report with me?

    Kind Regards,

    James

  4. DL
    July 13, 2008 at 8:42 pm

    Hi,

    Would love to have a copy of the research report you mentioned!

    Thanks in advance,
    DL

  5. Terri
    September 29, 2008 at 8:04 pm

    Please sendmethe report for the Top 10 security metrics

  6. Hogan K Lim
    October 6, 2008 at 5:33 am

    Hi,

    Please send me the research report.

    Thanks & Regards,
    Hogan

  7. Simone Seth
    March 3, 2009 at 9:13 am

    Mr Spire,
    I am working on devloping a series of business and security metrics and would appreciate getting a copy of the paper referenced above with you top 10 strategic security metrics. I am intrigued about where they came fromand how they work in practice. many thanks.
    Regards
    Simone

  8. Peter Mozdzierz
    May 29, 2009 at 10:17 am

    Hello Mr. Spire,
    I love your top ten security metrics. Please forward me a copy of your paper referenced above.
    Thank you,
    Peter M.

Comments are closed.