The Quest for Better Metrics
Despite organisations having managed their information risks and security controls for decades, most still struggle with the related measurements, begging big questions about the nature of that ‘management’. It could be argued that the lack of appropriate metrics is partly, perhaps largely responsible for the ongoing stream of information security incidents, privacy breaches, ransomware attacks and the like, plus the shortages of skilled cybersecurity professionals. The quest for better metrics – and professionals who truly understand this stuff – is becoming ever more urgent as the profession matures and expectations rise.
Light on mathematics, statistics and theory, the course provides a wealth of practical tips and techniques, giving you the tools and the confidence to make real progress on this challenging topic. The course emphasises real-world challenges, situations and applications for the tools and techniques, with exercises to try-out new techniques in a safe environment.
This 2-day course moves rapidly through the basics to cover advanced topics likely to be of interest to experienced professionals in senior roles. Although the course directly addresses measurement challenges in information risk and security management, the tools and techniques are more broadly applicable making the learning equally valuable for other metrics used elsewhere in the business. It covers but extends well beyond the technical/cybersecurity metrics typically used at an operational level e.g. in network security.
Tailoring to Your Situation
When it comes to metrics, there is no off-the-shelf list of ‘good practice’ metrics you can simply adopt. Numerous example metrics are discussed during the course to illustrate the pros and cons of various measurement, analysis and reporting approaches. They serve to demonstrate and practice the tools and techniques you will use to craft a custom suite of information security measures for your organisation given its unique business situation and goals, information risks, security controls, maturity level and compliance obligations. Rather than supplying an ill-fitting uncomfortable off-the peg suit(e) of generic metrics, this course teaches you the tailoring skills you need to shine.
Learning outcomes
- GQM and PRAGMATIC methods, used to specify and design/select information security metrics in a rational, structured manner.
- How to differentiate the few worthwhile from the many worthless security metrics.
- Analytical/critical thinking techniques you need to evaluate, shortlist, implement, use and improve security metrics.
- How to discuss, choose and refine security metrics in conjunction with your peers and management.
Who should attend
This course is designed for experienced professionals in senior roles, including:
- Information Risk/Security Manager
- Cybersecurity Manager
- Compliance Manager
- Chief Information Security Officer
- Chief Risk Officer
- Chief Governance Officer
Course contents
1. Introduction
- Your tutor and classmates
- The purpose of information security metrics – what they are for
- The demand for information security metrics, in particular the business drivers
2. Audiences for information security metrics
- Both within and beyond the organisation
- Who needs the measurements?
- What do they need them for?
3. Types of information security metrics
- Different types for different purposes
- Strategic, tactical and operational management levels
- Quantitative and qualitative metrics – complementary rather than alternatives
4. Sources of metrics
- Where to look for metrics – sources of inspiration such as standards, methods and books
- Adapting and improving existing metrics
- How to design and develop custom metrics to satisfy your organization’s unique measurement needs
5. Using the GQM method
- Determine the organisation’s business Goals relating to information risk, security, privacy, compliance etc.
- Pose actual and rhetorical Questions relating to achievement of the goals
- Derive Metrics to answer those questions
6. Metametrics (metrics about metrics)
- A pragmatic approach to characterise, score, evaluate, shortlist and ultimately improve the value delivered by information risk and security metrics
- Systematically assess and score possible metrics using the P.R.A.G.M.A.T.I.C. method
- Predictive – good metrics tell you something useful about the future
- Relevant – to the organisation and its information risks and security controls
- Actionable – it should be obvious what to change to improve a bad metric
- Genuine – difficult to fake or game the system
- Meaningful – informs and resonates with the intended audience/s
- Accurate – sufficient precision for proportional control
- Timely – available when needed to make decisions and act
- Independently verifiable – fact/data-based, not purely subjective
- Cost-effective – a metric must save/deliver more value more than it costs
7. The metrics lifecycle
- Metrics management, from cradle-to-grave
- Metrics maturity – systematically reviewing and improving metrics
8. An information security measurement system
- Designing a coherent ‘system’ for measuring various aspects of information security
- Taking a broader perspective on the data, analysis, presentation and use of metrics
- Metrics as an essential, integral component of an information security management system (e.g. ISO/IEC 27001, NIST CSF, CIS …), and of corporate management as a whole
9. Conclusion
- Summing up
- Reflect on take-home messages
- Action plans, putting the learning to work
Course fees
Course Format
The course is delivered in Live Virtual format. It is not a pre-recorded video course. Participants are encouraged to interact with the trainer and each other, with opportunities to ask questions and discuss genuine business situations, challenges and approaches. Bring real-world security measurement issues to the session and come away with pragmatic solutions.
There are hands-on exercises to practice and learn the techniques as a group.
The course workbook stimulates you to think and make your own notes rather than simply read someone else’s, while the course textbook supports supplementary in-depth study.
Fees per person
Security Metrics (2 days)
Course fees include:
- High Quality Course presentation
- ALC comprehensive course workbook
- A deliberately slim yet comprehensive and thought-provoking course workbook containing the slides and teaching notes, with plenty of space to jot down your own thoughts and comments.
- Textbook: PRAGMATIC Security Metrics
- Example information security metrics of various kinds (quantitative and qualitative), illustrating their creative possibilities, opportunities and drawbacks.
- A wealth of practical measurement methods, tools, terms and advice you can use immediately.
- The inspiration to develop an information security measurement system, a bespoke suite of security metrics tailored specifically for your organisation, plus the associated analytical techniques and processes.