Understanding Information Security Metrics

Page content

Understanding Information Security

As per Wikipedia, “Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction”. The Business Directory defines Information Security as “Safe-guarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity”. While the Wikipedia speaks only about protection of data from unauthorized access, the Business Directory also stresses on the need for maintaining the integrity of any information.

There are plenty of definitions for Internet Security on the Internet and libraries worldwide. However, the essence of all the definitions is the same. It is the combination of the above two definitions: 1) protection from unauthorized access and 2) maintaining the integrity of data. When we speak of maintaining of integrity, we are not speaking only about unauthorized access of data and its modification. Instead, we also refer to the modification, partial or total destruction of data during data transfer across any network or the Internet due to malfunctioning of any devices or other reasons.

Plenty of methods are available and are under development so that your data stays safe in secure hands. The TLS (Transport Layer Security) and SSL (Secure Socket Layer) are some examples of such methods. SSL is generally used to make secure transactions over the Internet. You must have noticed the lock symbol while making a payment or when you access your bank online.

To ensure that your data stays protected, scholars in the field use information security metrics to create, implement, and improve security systems that keep your data safe not only when it is stored on a storage device, but also when it is being transmitted or received over a network or the Internet.

Information Security Metrics: An Introduction

In the era where there are numerous efforts to steal your data, more and more companies are investing in security products. With the investment, comes the issue of returns. The companies’ security advisors or security managers have to prove that their security programs are smart enough to keep the data safe and that the programs are offering satisfactory returns in lieu of the investment. This is achieved by measuring the security offered by a program or product at frequent intervals. These measurements are discrete data that show the effectiveness of the security program.

These information security measurements are then compared by testing the security systems at random intervals. The companies compare the effectiveness of a security program or software on several factors, including the number of risk factors that it is able to tackle. As the security measurements are taken while the security programs are still (constantly*) being enhanced, there may be substantial differences among the different comparisons. Based on these comparisons, the information security metrics are defined. These metrics offer information about the program’s capability to deal with information storage and transfer risks.

*Note: Obtaining Information Security Metrics is not a one time process. It is an ongoing process and the implementation of the security programs are modified according to the data presented by the information security metrics.

Use of Information Security Metrics

The information security metrics help security managers to assess the safety offered by the different components of a security program/product. These metrics also help in identifying the vulnerabilities and leaks in the security program being used by a company. They can inform the security engineers about the possible problems that can occur if a process is not implemented properly. In short, the information security metrics answer the following questions:

  1. If the infrastructure is more safe than before?

  2. Is the security program safe enough to avoid hacking and maintaining the integrity of information? And,

  3. How does the information security metrics of a program/process differ from another program/process?

The following sections outline the implementation of information security metrics for creating and/or enhancing an information security program.

Using Information Security Metrics

Though each company has its own method to implement a security metrics program for enhancing its security systems, the seven step model for designing and using security metrics is the most famous. The model is outlined in the following paragraphs.

The first step is to define the objectives of the information security metrics. Obviously, though the ultimate goal of an information security metrics program would be to enhance the current security system, you need to be more specific in what you intend to achieve because the security system is dependent on a number of processes that work collectively to offer you maximum information safety. An example objective can be deriving the possible vulnerabilities in the system so that the security system analysts can work on the issues to fix them.

The second step is to generate strategies than create information security metrics for implementation. These strategies are the methods by which the security analysts collect data and measure the effectiveness of the current security system. This includes both the current strength as well as the risks associated with the implementation of the current security program.

Based on frequent collection of data, the information security is worked upon to increase the strength while reducing the risks involved in the current security system. Several elements aid the generation of information security metric’s strategy development. These include firewall logs, user feedbacks, help desk logs, and system logs.

The third step is the most difficult one as it affects how you use the information security metrics. In the step, you check out what all security metrics to use. If you feel that a new security metric has to be created, you need to focus on the issue too. As explained already, the information security metrics are the results displayed by comparing the results of two or more random tests of the existing security program at different stages of its development and implementation. Hence, you need to be careful while selecting and using the security metrics that offered more security. In other words, you need to identify the processes that offer more information security by employing the data offered by information security metrics so that the system programmers can further strengthen the processes.

The fourth step involves comparing the data protection efficiency of the current security program with the processes of other companies to establish benchmarks. This data makes the information security metrics even more effective. Based on the inclusion of other companies’ security systems’ data, the information security metrics can be further refined to enhance the current security program. Remember that when we are speaking about enhancing any security program, it does not cover overall protection at the same time. It is a step by step method, whereby the information security metrics for different processes forming the entire security program are consulted. Based on this, each process is refined to achieve a more effective security system for protection of users’ data.

In the fifth step, the format and audience of information security metrics is decided. The best way is to represent the security metrics is the graphic format so that the security managers as well as the company managers can understand the information security metrics easily. The audience is selected based on the question of permission for modifications. While in some companies, the security analysts can take the decisions themselves, others require even the stake holders to approve any change in the security systems. Whatever decision is taken, it should be smart enough to get more inputs for the enhancement of the current security system.

The sixth step involves creating an action plan. The action plan is created based on the data obtained by the information security metrics and on the inputs gathered by the audience to whom the metrics were presented. This is the stage where the security analysts may face resistance. There may be some people who will strongly reject any changes to the current security system as they believe that the security system is smart enough to tackle all the risks. However, no matter how strong a security system is, it needs to be updated constantly as the malicious users of the Internet are always active to break into your servers. Hence, the security systems too, should be kept under constant improvement so that they are able to tackle any risks or vulnerabilities. This is where information security metrics comes in.

The final step is to create a program that frequently reviews the security programs. As explained in the introduction, this involves frequent measurements of the efficiency of the security system. These measurements again come from the different logs and feedbacks from the users of the security products or systems. Based on these measurements, information security metrics are derived and used for constant improvement of the security program.

The next page contains the summary of the article while offering you with sources of the article information and further readings on information security metrics.

Information Security Metrics: Summary of Using the Metrics

To sum up, there are several uses of information security metrics. These metrics are helpful in determining the strength and weakness of any information security system at any given point of time. While one can assess the effectiveness of a security system using the information security metrics, they also find the metrics useful in improving the information security systems. The information security metrics obtained from different sources can also be used to create an efficient information security system from scratch.

While creating an information security from scratch, the data is collected from different existing information security systems. The data should be enough to help create information security metrics. This also means that the information systems analyst must collect data more than once from each security system before creating the information security metrics. The difference in time offers more brevity to the metrics so that the analysts may study them and design the model of good and effective information security systems.

Besides, there are many more methods of employing the information security metrics once you understand them properly. The following links may prove beneficial for you to learn about information security metrics, the different methods to derive the metrics, and the many methods to use the information security metrics.


a. Federal Computer Week, 16 June 2006 (URL: http:www.fcw.com/article89546-07-13-05)

b. Federal Computer Week, 16 June 2006 (URL: https://www.fcw.com/article70756)

c. NIST and CSSPAB Workshop, Washington, D.C., 13-14 June 2000. (URL: https://csrc.nist.gov/csspab/june13-15/jelen.pdf)

d. Applied Computer Security Associates Workshop on Information-Security-System Rating and Ranking, Williamsburg, Virginia, 21-23 May 2001: 1-2. URL: (https://www.acsac.org/measurement)

Further Readings on Information Security Metrics

a. 13 Bayuk, Jennifer L. “Information Security Metrics: An Audited-based Approach.” NIST and CSSPAB Workshop, Washington, D.C., 14 June 2000. URL: https://csrc.nist.gov/csspab/june13-15/Bayuk.pdf (10 July 2001)

b. https://www.securitystats.com

c. https://www.cio.com

d. “A Few Good Metrics,” CSO Magazine, 1 July 2005. (URL: https://www.csoonline.com/read/070105/metrics.htmlhttps://www.csoonline.com/read/070105/metrics.html)

e. https://www.issea.org (16 June, 2006)

f. https://csrc.nist.gov/organizations/guidance/framework-final.pdf