This section presents 16 summaries of metrics in use in the security field from the original report and 6 new metrics added in 2016. About half the contributors supplied examples of graphics they use to convey their metrics to senior management.
After each metric summary comes an evaluation. Each metric was scored against the Security Metrics Evaluation Tool (Security MET) by members of the project's expert panel and/or the research project's principal investigator. The outside experts are high-level security professionals who currently use metrics, and the researcher was especially well-equipped to focus on each metric's methodological (technical) aspects. Their scores are presented in a score sheet. In addition to the numerical scores, the reviewers also provided written comments. The scoring and written evaluations are meant to help readers see where they might strengthen any of these metrics if they chose to import a similar metric into their own organizations.
The summaries that follow may serve as examples for security professionals considering ways to use metrics. Combining the summaries with scoring and expert reviews provides insights not only into the metrics but also into the use of the Security MET.
For privacy, names have been left out of the summaries. The interview format (used when collecting the information) is preserved in the summaries so that readers can compare metrics against particular questions.
The metrics summarized in this section measure a variety of issues and come from a variety of industries and locations:
2016 New Case Studies Added
Sources of Metrics
Real estate management
The metric summaries attempt to provide the information needed to assess the metrics by using the Security Metrics Evaluation Tool (Appendix A). They do not capture every detail of each metric's creation and application, and they are based on self-reporting rather than external audit. Not all the metrics described here would meet the strictest definition of metrics (as opposed to simple measurements), and some may use security data for purposes other than traditional security. Nevertheless, the summaries are intended to provide examples of actual metrics in use in the field, with enough detail to determine how they measure up against the Security MET.
For a few minutes' effort, you can add to the security body of knowledge and receive a free, expert review of a security metric you are using. (Before evaluating or publishing the metric summary, we will remove identifying information, such as personal and organizational names.)
Submit a Metric, Get a Free Expert Review