This powerful 2-day course provides a wealth of tools, guidelines and inputs for anybody having to deal with security metrics.
In the last few years the term "security metrics" has developed into a holy grail. We all know the mantra that if you can’t measure it, you can’t manage it. Everybody wants security metrics, everybody seems to know that they are necessary, but how does the CISO or the IT department get them?
Learning outcomes
It covers, clearly and concisely, all the key points:
- How secure is my organisation really - differing methods and concepts
- How much security is enough? How much is too much?
- Is the security program headed in the right direction?
- Are security resources adequate and used to the best effect?
- What and how to measure - all the key security metrics explained
- Security metametrics - a PRAGMATIC approach that works
- How to design your information security measurement system
- How everything can be pulled together to create a system which works
Who should attend
The programme is designed for in-house presentation to groups. It is designed to be used both for initial induction and also for periodic security refresher training.
Course contents
1. The Art and Science of Security Metrics
- Metrology, the science of measurement
- Governance and management metrics
- Information security metrics
- Financial metrics for information security
- (Information security) Risk management metrics
- Software quality and security metrics
- Information security metrics reference review
- Specifying metrics
- Metrics catalogues and a serious warning about SMD
- Other (information security) metrics resources
2. Audiences for Security Metrics
- Metrics audiences within the organisation
- Senior management
- Middle and junior management
- Security operations
- Others with an interest in information security
- Metrics audiences outside the organisation
3. Finding Candidate Metrics
- Pre-existing/current information security metrics
- Other corporate metrics
- Metrics used in other fields and organisations
- Information security metrics reference sources
- Other sources of inspiration for security metrics
- Security surveys
- Vendor reports and white papers
- Security software
- Roll-your-own metrics
- Metrics supply and demand
Breakout session – propose metrics for:
- Senior management
- Executive management
- Middle management
- Operations
4. Metametrics and the PRAGMATIC approach
- Metametrics
- Selecting information security metrics
- The PRAGMATIC criteria
P = Predictive
R = Relevant
A = Actionable
G = Genuine
M = Meaningful
A = Accurate
T = Timely
I = Independent
C = Cost
- Scoring information security metrics against the PRAGMATIC criteria
- Step 1: Determine the measurement objective/s
- Step 2: Specify the metric/s
- Step 3: Design the metric/s
- Step 4: Rate and score the metric/s using the PRAGMATIC criteria
- Step 5: Compare the PRAGMATIC score/s against other metrics
- Step 6: Select the best metric/s for your information security measurement system
- Other uses for PRAGMATIC metametrics
- Classifying information security metrics
- SMO (Strategic/Managerial/ Operational) metrics classification
- Risk/control metrics classification
- Input – process – output (outcome) metrics classification
- Effectiveness and efficiency metrics classification
- Maturity metrics classification
- Directness metrics classification
- “Robustness” metrics classification
- Readiness classification
- Policy/practice metrics classification
Breakout session – score proposed metrics
Present results
5. Sample Security Metrics
- Information security risk management example metrics
- Information security policy example metrics
- Security governance, management and organisation example metrics
- Information asset management example metrics
- Human resources security example metrics
- Physical security examples
- IT security metric examples
- Access control example metrics
- Software security example metrics
- Incident management example metrics
- Business continuity management examples
- Compliance and assurance metrics examples
6. Summary and Conclusions
Course fees
Face-to-face classroom training
Course
Fees A$ per person
Security Metrics
$1800 + gst