How to Use Information Security Metrics

As per Wikipedia, "Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction". The Business Directory defines Information Security as "Safe-guarding an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity". While the Wikipedia speaks only about protection of data from unauthorized access, the Business Directory also stresses on the need for maintaining the integrity of any information.

There are plenty of definitions for Internet Security on the Internet and libraries worldwide. However, the essence of all the definitions is the same. It is the combination of the above two definitions: 1) protection from unauthorized access and 2) maintaining the integrity of data. When we speak of maintaining of integrity, we are not speaking only about unauthorized access of data and its modification. Instead, we also refer to the modification, partial or total destruction of data during data transfer across any network or the Internet due to malfunctioning of any devices or other reasons.

Plenty of methods are available and are under development so that your data stays safe in secure hands. The TLS (Transport Layer Security) and SSL (Secure Socket Layer) are some examples of such methods. SSL is generally used to make secure transactions over the Internet. You must have noticed the lock symbol while making a payment or when you access your bank online.

To ensure that your data stays protected, scholars in the field use information security metrics to create, implement, and improve security systems that keep your data safe not only when it is stored on a storage device, but also when it is being transmitted or received over a network or the Internet.

In the era where there are numerous efforts to steal your data, more and more companies are investing in security products. With the investment, comes the issue of returns. The companies’ security advisors or security managers have to prove that their security programs are smart enough to keep the data safe and that the programs are offering satisfactory returns in lieu of the investment. This is achieved by measuring the security offered by a program or product at frequent intervals. These measurements are discrete data that show the effectiveness of the security program.

These information security measurements are then compared by testing the security systems at random intervals. The companies compare the effectiveness of a security program or software on several factors, including the number of risk factors that it is able to tackle. As the security measurements are taken while the security programs are still (constantly*) being enhanced, there may be substantial differences among the different comparisons. Based on these comparisons, the information security metrics are defined. These metrics offer information about the program’s capability to deal with information storage and transfer risks.

*Note: Obtaining Information Security Metrics is not a one time process. It is an ongoing process and the implementation of the security programs are modified according to the data presented by the information security metrics.

The information security metrics help security managers to assess the safety offered by the different components of a security program/product. These metrics also help in identifying the vulnerabilities and leaks in the security program being used by a company. They can inform the security engineers about the possible problems that can occur if a process is not implemented properly. In short, the information security metrics answer the following questions:

1. If the infrastructure is more safe than before?

2. Is the security program safe enough to avoid hacking and maintaining the integrity of information? And,

3. How does the information security metrics of a program/process differ from another program/process?

The following sections outline the implementation of information security metrics for creating and/or enhancing an information security program.