Call Us 0800 540 161

Course overview

This powerful 2-day course provides a wealth of tools, guidelines and inputs for anybody having to deal with security metrics.

In the last few years the term "security metrics" has developed into a holy grail. We all know the mantra that if you can’t measure it, you can’t manage it. Everybody wants security metrics, everybody seems to know that they are necessary, but how does the CISO or the IT department get them?

Learning outcomes

It covers, clearly and concisely, all the key points:

  • How secure is my organisation really - differing methods and concepts
  • How much security is enough? How much is too much?
  • Is the security program headed in the right direction?
  • Are security resources adequate and used to the best effect?
  • What and how to measure - all the key security metrics explained
  • Security metametrics - a PRAGMATIC approach that works
  • How to design your information security measurement system
  • How everything can be pulled together to create a system which works

Who should attend

The programme is designed for in-house presentation to groups. It is designed to be used both for initial induction and also for periodic security refresher training.

Course contents

1. The Art and Science of Security Metrics

  •   Metrology, the science of measurement
  •   Governance and management metrics
  •   Information security metrics
  •   Financial metrics for information security
  •   (Information security) Risk management metrics
  •   Software quality and security metrics
  •   Information security metrics reference review
  •   Specifying metrics
  •   Metrics catalogues and a serious warning about SMD
  •   Other (information security) metrics resources

2. Audiences for Security Metrics

  •   Metrics audiences within the organisation
    •   Senior management
    •   Middle and junior management
    •   Security operations
    •   Others with an interest in information security
    •   Metrics audiences outside the organisation

3. Finding Candidate Metrics

  •   Pre-existing/current information security metrics
  •   Other corporate metrics
  •   Metrics used in other fields and organisations
  •   Information security metrics reference sources
  •   Other sources of inspiration for security metrics
    •   Security surveys
    •   Vendor reports and white papers
    •   Security software
    •   Roll-your-own metrics
    •   Metrics supply and demand

Breakout session – propose metrics for:

  •   Senior management
  •   Executive management
  •   Middle management
  •   Operations

4. Metametrics and the PRAGMATIC approach

  •   Metametrics
  •   Selecting information security metrics
  •   The PRAGMATIC criteria

P = Predictive

R = Relevant

A = Actionable

G = Genuine

M = Meaningful

A = Accurate

T = Timely

I = Independent

C = Cost

  •   Scoring information security metrics against the PRAGMATIC criteria
    •   Step 1: Determine the measurement objective/s
    •   Step 2: Specify the metric/s
    •   Step 3: Design the metric/s
    •   Step 4: Rate and score the metric/s using the PRAGMATIC   criteria
    •   Step 5: Compare the PRAGMATIC score/s against other   metrics
    •   Step 6: Select the best metric/s for your information   security measurement system
    •   Other uses for PRAGMATIC metametrics
    •   Classifying information security metrics
      •   SMO (Strategic/Managerial/ Operational) metrics   classification
      •   Risk/control metrics classification
      •   Input – process – output (outcome) metrics classification
      •   Effectiveness and efficiency metrics classification
      •   Maturity metrics classification
      •   Directness metrics classification
      •   “Robustness” metrics classification
      •   Readiness classification
      •   Policy/practice metrics classification

Breakout session – score proposed metrics

Present results

5. Sample Security Metrics

  •   Information security risk management example metrics
  •   Information security policy example metrics
  •   Security governance, management and organisation example metrics
  •   Information asset management example metrics
  •   Human resources security example metrics
  •   Physical security examples
  •   IT security metric examples
  •   Access control example metrics
  •   Software security example metrics
  •   Incident management example metrics
  •   Business continuity management examples
  •   Compliance and assurance metrics examples

6. Summary and Conclusions

 

Course fees

Course

Fees A$ per person

Security Metrics
$1800 + gst