Security Metrics - 25 Resources

Overview
Publications (12)
Presentations (10)
Blogs (3)

Overview

Metrics are tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. IT Security Metrics are metrics based on IT security performance goals and objectives. [Source: NIST SP 800-55]

Suggested Resources

Center for Internet Security (CIS) Consensus Information Security Metrics: Organizations struggle to make cost-effective security investment decisions, in part because information security professionals lack widely accepted, unambiguous metrics for supporting their decisions.To address the need for clear security metrics, CIS established a consensus group of industry experts. The result is a set of Consensus Security Metrics and data set definitions that can be used across organizations to collect and analyze data on security outcomes and process performance. The current version contains twenty (20) metric definitions for six (6) important business functions: Incident Management, Vulnerability Management, Patch Management, Application Security, Configuration Management, and Financial Metrics. Additional consensus metrics are currently being defined for these and additional business functions.
"Cybersecurity: When Will We Know If What We Are Doing Is Working?": This 2009 EDUCAUSE Review article by Clint Kreitner proposes a conceptual vision/framework for three essential elements: 1) a widely accepted definition of success, 2) consensus metrics for measuring progress toward success, and 3) a comprehensive feedback learning mechanism.
NIST Interagency/Internal Report (IR) 7564: Directions in Security Metrics Research
NIST Special Publication (SP) 800-55: Performance Measurement Guide for Information Security
"Security Metrics: A Solution in Search of a Problem": This 2008 EDUCAUSE Quarterly article by Joel Rosenblatt describes how the creation and collection of appropriate metrics can enhance an institution's security program. Learn about some potential metrics in the following areas: policy and compliance, network and machine monitoring, outreach and education, legal compliance, authorization and authentication, asset protection, and privacy.
"Recommended Reading–Security Metrics: Replacing Fear, Uncertainty, and Doubt": In this 2008 EDUCAUSE Quarterly article, Joel Rosenblatt reviews Andrew Jaquith's book, Security Metrics: Replacing Fear, Uncertainty, and Doubt.

Updated March 2010

Publications (12)

EDUCAUSE publications address a diverse range of professional challenges in higher education IT, from updates on current developments to explorations of important overarching issues. Listed below are the full range of research, reports and other publications that EDUCAUSE and its members have written about Security Metrics.

Item ID	Title	Pub Date	Views
CSD5721	Directions in Security Metrics Research	08/20/2009	273
ERM0959	Cybersecurity: When Will We Know If What We Are Doing Is Working?	09/04/2009	2,091
EQM07313	Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI - Book Review	08/29/2007	7,826
CSD5073	Guide for Developing Performance Metrics for Information Security: Recommendations of the National Institute of Standards and Technology	05/19/2006	5,125
EQM0541	Addressing Information Security Risk	01/01/2005	6,754
EQM0832	Security Metrics: A Solution in Search of a Problem	08/04/2008	4,233
EQM08315	Recommended Reading	08/04/2008	1,817
CSD3661	Corporate Information Security Working Group:	01/01/2004	13,281
CSD5074	A Guide to Security Metrics	06/22/2006	3,452
CSD5075	A Few Good Metrics	07/21/2005	3,046
CSD5144	Incident Management Capability Metrics	09/19/2007	3,249
EQM04413	Evaluating Computer-Related Incidents on Campus	01/01/2004	3,802

Presentations (10)

Stepping away from the distractions of normal routine to meet with peers, share experiences, and learn together can be invaluable. EDUCAUSE places great emphasis on the face-to-face meeting experience, offering you numerous opportunities throughout the year to gather with colleagues - from small regional events and special topic meetings to large, national conferences covering the full spectrum of roles and issues important to higher education. For more information on EDUCAUSE conferences and seminars, please see our Frequently Asked Questions page. Listed below is the full range of presentations EDUCAUSE and its members tagged with Security Metrics

Item ID	Title	Pub Date	Views
SEC122_249107	Metrics 201: Benchmarking and Security Metrics	05/15/2012	192
SEC10_203054	A Guide to Security Metrics	04/13/2010	763
SEC11_222433	Measuring Security Awareness as a Metric	04/06/2011	245
SEC112_224934	Benchmarking Security Data with the Redesigned EDUCAUSE Core Data Service	04/04/2011	216
SEC09_170524	Building a Cybersecurity Operations Center	04/22/2009	1,186
CYB08010	Cybersecurity Research Challenges	05/07/2008	544
SEC07075	Effective Security Metrics	04/11/2007	2,698
SEC07097	Incident Tracking and Reporting	04/12/2007	2,537
EDU05190	Security Assessments for Information Technology	10/20/2005	2,662
SPC0672	Security Assessments in an Academic Environment	04/11/2006	2,345

Blogs (3)

EDUCAUSE hosts a number of blogs for its members. To view a list of all our blogs, click here.

Title	Blogger	Posted	Views
Consensus Audit Guidelines Version 1.0 Released	Valerie M. Vogel, EDUCAUSE	03/24/2009	874
Building a Security Program to Include Metrics	Valerie M. Vogel, EDUCAUSE	08/13/2008	524
New Security Metrics Resource Page Posted to EDUCAUSE Connect	Colleen Luckett, EDUCAUSE	10/11/2007	1,581

Do you have a great resource that should be listed here? Email contribute@educause.edu with your recommendation!