« Want to know how VMware works? | Main | VMware and Virtual DMZs »

Top Ten Strategic Security Metrics

Last week at the Burton Group conference I presented on the Top Ten Strategic Security Metrics. It is really interesting to see the reactions I get from people about these. Some security professionals get really excited about them while others think they are pie-in-the-sky. Rest assured, that even though these are strategic metrics, they have detailed grounding in operational metrics. That is the true value of the metrics - they bridge the gap.

Anyway, here they are:

  1. Transaction Value (TV) - (Total Value of IT and Information Assets $ / Total Transactions)
  2. Transaction Cost (TC) - (Total Cost of IT and Information Assets $ / Total Transactions)
  3. Controls per Transaction (CPT) - (Total Number of Inline Control Events / Total Transactions)
  4. Cost per Control (CPC) - (Total Cost of Control $ / Total Number of Inline Control Events)
  5. Security to Value Ratio (STV) - (Total Security Costs $ / Total Value of IT and Information Assets $)
  6. Loss to Value Ratio (LTV) - (Total Losses $ / Total Value of IT and Information Assets $)
  7. Control Effectiveness Ratio (CE) - ((Good Allowed Control Events + Bad Denied Control Events) / Total Number of Inline Control Events)
  8. Incidents per Million (IPM); Incidents per Billion (IPB) - ((Total Number of Incidents / Total Transactions) x One Million or Billion)
  9. Incident Prevention Rate (IPR) - (1 – (Total Incidents / (True Positives + Total Incidents)))
  10. Risk Aversion Ratio (RAR) - (False Positives / Total Incidents)

If you are a practicing enterprise security professional and would like further details, feel free to send me an email and I'd be happy to share the research report that goes along with it.

July 01, 2008 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345207f669e200e5537f37c08833

Listed below are links to weblogs that reference Top Ten Strategic Security Metrics:

Comments

Hi,

These are very good metrics, appreciate if you could share the report.

Posted by: Sajeev Nair | July 02, 2008 at 03:32 AM

Hey,

Would love to see the associated report.

Regards,
Christian

Posted by: Christian | July 02, 2008 at 07:23 AM

I have read your post "Top Ten Strategic Security Metrics". The information stirred my interest in the report you offered. Can you kindly share that report with me?

Kind Regards,

James

Posted by: James | July 03, 2008 at 04:52 AM

Hi,

Would love to have a copy of the research report you mentioned!

Thanks in advance,
DL

Posted by: DL | July 13, 2008 at 08:42 PM

Please sendmethe report for the Top 10 security metrics

Posted by: Terri | September 29, 2008 at 08:04 PM

Hi,

Please send me the research report.

Thanks & Regards,
Hogan

Posted by: Hogan K Lim | October 06, 2008 at 05:33 AM

Mr Spire,
I am working on devloping a series of business and security metrics and would appreciate getting a copy of the paper referenced above with you top 10 strategic security metrics. I am intrigued about where they came fromand how they work in practice. many thanks.
Regards
Simone

Posted by: Simone Seth | March 03, 2009 at 09:13 AM

Hello Mr. Spire,
I love your top ten security metrics. Please forward me a copy of your paper referenced above.
Thank you,
Peter M.

Posted by: Peter Mozdzierz | May 29, 2009 at 10:17 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment