IT Security Metrics (Executive Level)

Is there any guidelines for meaningful metrics for executive reporting? One tends to find very technical questions that are not translated into a business type indicator. Require to raise profile of info Risk/Security at exec at C level apart from CIO/CTO types.

Answer Wiki

Thanks. We'll let you know when a new response is added.

What you need to do is provide an information asset risk inventory with dollar value, risk of loss without security
measures, and risk of loss with security measures. For example, you have an information asset that you value at $1,000,000, with 20% chance of loss without security measures and 2% chance of loss with security measures, you see the risk reduction is 18%, and the value of that reduction is $180,000 — $1,000,000 * .18. Each asset, with its value and risk factors, needs to be listed.

It’s best if you can use hard data; otherwise use good faith estimates.

So, management needs to be able to see a comparison of the VALUE of your risk mitigation measures to their COST.

I hope this helps.

Craig Herberg

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • CRE8IVEsolutions
    In addition to the quantitative example from InfoSecurity, you need to also provide the impact to the enterprise where each assess is lost and what are the consequensces to the mission. This will identify single-point failures no matter what the probability of loss is and tie it to risk management metrics. Suggest visiting NIST for the standards on security policies, metrics, etc...its their "800-series" on security standards for the federal government and are based on the ISO Common Criteria.
    0 pointsBadges:
  • Mikewcissp
    The specific NIST guidance is SP 800-55, which is available here: Also, I can't tell if you've asked this question as a result of having read the Feb 2005 Information Security magazine (which obviously sponsors this site), but there was a nice article (albeit, more technical and less executive level):,291266,sid42_gci1052390,00.html
    0 pointsBadges:
  • HighlandRanger
    Based on the initial phrasing of the question, I'm not sure of the direction for an answer. If the question was, how do we justify what we spend on security, then the answer is above. The NIST reference or even a reference to the CISSP course of study can establish the described approach as industry standard practice. If the question was, how do we show the money we are spending on security is money well spent . . . . That becomes more difficult because you are trying to prove a negative. For logical domain security, you might be able to point to network stats from firewall logs regarding thwarted intrusion attempts. But can you show the ones you didn?t stop? For organizational domain security, I guess you would go with something along the lines of: our policies and procedures stopped something from happening. Same for physical security; our access control or alarm systems prevented X event from happening. Again, far more difficult to show that your efforts prevented something from happening particularly when, without the proper monitoring, you might never know that the event did happen in the first place.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: