EDUCAUSE | Security Metrics

IT Service Metrics 101

Thu, 13 Dec 2012 18:35:26 +0000

These guidelines to service metrics explain what to measure and how, when, and why to measure it.
Trends reveal the most about services and performance, alerting an IT department to problems as they develop or to success in their service delivery efforts.
Service subscription rates and customer surveys provide the best metrics for identifying trends because the only way to know what customers think about your organization's ability to deliver services is to ask them.
Do not gather a bunch of metric data just because you can — start with high-level service goals and then identify the metrics that can help gauge how well those goals are being met.

Metrics 201: Benchmarking and Security Metrics

Thu, 22 Mar 2012 15:18:06 +0000

Whether you're new to metrics or a metrics master, this session is for you. We'll help you get started with using a metrics development methodology. Then, we'll look at some examples of security metrics being used at institutions today. Finally, we'll discuss how you can use the EDUCAUSE Core Data Service to benchmark your security office with other institutions.

Benchmarking Security Data with the Redesigned EDUCAUSE Core Data Service

Wed, 02 Mar 2011 23:20:01 +0000

In 2011, EDUCAUSE will launch an updated Core Data Service based on extensive member feedback. Core data consultant Dan Updegrove will explain enhancements, including a new security survey module, and how to use benchmarking and CDS as part of your cybersecurity planning and evaluation on your campus.

Measuring Security Awareness as a Metric

Mon, 24 Jan 2011 22:01:29 +0000

In the face of regular news reports of serious data breaches, and best practices outlining the need for security awareness programs, information security departments want to demonstrate the effectiveness of their security awareness programs. User awareness and training is often touted as providing the greatest return on investment in terms of security. Are simple questionnaires or quizzes administered periodically enough to measure effectiveness? Are they reliable? With the transient nature of students, are they accurate and comparable year to year? What other ways are there to measure security awareness? Hear what peers from other institutions are doing in a face-to-face panel discussion.

A Guide to Security Metrics

Tue, 13 Apr 2010 20:55:58 +0000

In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny of institutional costs, security managers are more than ever being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Key among these should be security metrics. This presentation will provide a definition of security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology for building a security metrics program, and review factors that affect its ongoing success. Numerous examples of security metrics will also be covered.

Directions in Security Metrics Research

Thu, 03 Sep 2009 15:33:14 +0000

More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.

Cybersecurity: When Will We Know If What We Are Doing Is Working?

Thu, 27 Aug 2009 16:15:50 +0000

The author discusses issues of security metrics and how to effectively protect the nationals cyberinfrastructure and the information that flows through it.

Building a Cybersecurity Operations Center

Wed, 22 Apr 2009 15:18:57 +0000

Three IT security offices (Virginia Tech, Penn State, and Purdue) are building a cybersecurity operations center (CSOC) that will be the focal point for each institution's campus-wide cybersecurity infrastructure. The CSOC aggregates data from IDS, IPS, security reviews, vulnerability scanners, and other tools stored in various databases. The CSOC allows incident response team members to pull up a host's "security history" in a timely manner. This information can be used in incident response, security metrics, and security reviews. The CSOC is not a physical security center with surveillance cameras; it deals only with cybersecurity issues. Each institution will provide an overview of its CSOC initiatives.

Consensus Audit Guidelines Version 1.0 Released

Tue, 24 Mar 2009 15:30:36 +0000

A consortium of federal agencies and private organizations recently released Version 1.0 of the Consensus Audit Guidelines (CAG), which define the 20 most important controls and metrics for effective cyber defense and dontinuous FISMA compliance. The public review period for the draft will end on March 25, 2009 (send comments to cag@sans.edu).

The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, DC, to advance key recommendations from the CSIS Commission report on Securing Cyberspace for the 44th Presidency.

Building a Security Program to Include Metrics

Wed, 13 Aug 2008 20:04:31 +0000

In "Security Metrics: A Solution in Search of a Problem", a recent EDUCAUSE Quarterly article, Joel Rosenblatt (Manager of Computer and Network Security, Columbia University) describes how the creation and collection of appropriate metrics can enhance an institution's security program. Learn about some potential metrics in the following areas: policy and compliance, network and machine monitoring, outreach and education, legal compliance, authorization and authentication, asset protection, and privacy.

Security Metrics: A Solution in Search of a Problem

Fri, 18 Jul 2008 18:34:47 +0000

The multifaceted aspects of security programs become clearer with the creation and collection of appropriate metrics.

Cybersecurity Research Challenges

Mon, 16 Jun 2008 15:56:12 +0000

Today's most prevalent and widely discussed attacks exploit code-level flaws such as buffer overruns and type-invalid input. We need to anticipate tomorrow's attacks and think beyond buffer overruns, beyond code-level bugs, and beyond the horizon. To be ready for threats of the future, we need to be doing more basic research in cybersecurity today. This talk will outline a few suggestions for important research directions in cybersecurity: the foundations of trustworthy computing, security architectures, privacy, usability, and security metrics.

Incident Management Capability Metrics

Wed, 19 Sep 2007 21:32:32 +0000

The CERT CSIRT Development Team has introduced a method to evaluate and improve an organization's capability for managing computer security incidents. This method uses a set of incident management best practices defined in a set of metrics called the Incident Management Capability Metrics. These metrics provide organizations a baseline against which they can benchmark their current incident management processes or services.

The metrics questions explore different aspects of incident management activities. These questions are grouped into four basic functional categories:

Protect
Detect
Respond
Sustain

The results from an evaluation using the metrics will help an organization determine the maturity of its incident management capability regardless of organization type or sector (commercial, academic, government, etc.).

Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI - Book Review

Thu, 30 Aug 2007 16:36:39 +0000

The reviewer states the "Complete Guide to Security and Privacy Metrics is a good reference book for individuals developing or managing metrics for performance management programs." This book has more than 900 ready-to-use metrics designed to measure the following;

Compliance with current security and privacy regulations and standards
Operational resilience of physical, personnel, IT, and operational controls
Return on investment (ROI) on controls used to manage risk of information and IT assets

A Few Good Metrics

Wed, 22 Aug 2007 19:38:42 +0000

Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them.

A Guide to Security Metrics

Wed, 22 Aug 2007 19:32:46 +0000

The pressure is on. Various surveys indicate that over the past several years computer security has risen in priority for many organizations. Spending on IT security has increased significantly in certain sectors. As with most concerns that achieve high priority status with executives, computer security is increasingly becoming a focal point not only for investment, but also for scrutiny of return on that investment. In the face of regular, high-profile news reports of serious security breaches, security managers are more than ever before being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Some experts believe that key among these should be security metrics. This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program.

Guide for Developing Performance Metrics for Information Security: Recommendations of the National Institute of Standards and Technology

Wed, 22 Aug 2007 19:24:54 +0000

This publication focuses on developing and implementing information security metrics for an information security program. The processes and methodologies described in this guidance link information security performance to agency performance by leveraging agency-level strategic planning processes. The performance metrics developed according to this guide will enhance the ability of agencies to respond to a variety of federal government mandates and initiatives, including the Federal Information Security Management Act (FISMA) and the President's Management Agenda (PMA).
The goal of each agency information security program is to provide the appropriate level of protection to the agency's information resources. Information security has become an essential business function, critical to enabling agencies to conduct their operations and deliver services to the public. Each agency's information security program provides direct support to the agency mission. Information security performance metrics provide a means for the monitoring and reporting of agency implementation of security controls. They also help assess the effectiveness of these controls in appropriately protecting agency information resources in support of the agency's mission.

Incident Tracking and Reporting

Mon, 16 Apr 2007 14:37:32 +0000

The University of Florida and the University of Pennsylvania both regularly generate summary reports of computer incidents for information security managers. The reports help identify units that need improvement, assist with planning and risk assessment, and have contributed to an improvement in the security posture of both universities.

Effective Security Metrics

Mon, 16 Apr 2007 14:37:31 +0000

This presentation will show how the University of Pittsburgh successfully uses incident, operational, and compliance metrics to demonstrate the effectiveness of its security controls, as well as to substantiate funding for implementing and sustaining them.

Security Assessments in an Academic Environment

Tue, 18 Apr 2006 15:56:53 +0000

Baylor University recently conducted a campus-wide IT security assessment. This session presents the process from choosing a consultant to remediation of the assessments discoveries. The result is a long-term strategy and metrics for IT security within the university.

Addressing Information Security Risk

Thu, 10 Nov 2005 23:12:02 +0000

A journey, not a destination, security work is never done—the challenges just keep coming.

Security Assessments for Information Technology

Tue, 01 Nov 2005 18:34:32 +0000

Baylor University recently conducted a campus-wide information technology security assessment. The session will present the assessment process, from choosing a consultant to remediation of the assessment's discoveries. The result is a long-term strategy and metrics for information technology security within the university.

Corporate Information Security Working Group:

Wed, 12 Jan 2005 19:01:23 +0000

The Corporate Information Security Working Group (CISWG) was originally convened in November 2003 by Representative Adam Putnam (R-FL). The Best Practices team surveyed available information security guidance. It concluded in its March 2004 report that much of this guidance is expressed at a relatively high level of abstraction and is therefore not immediately useful as actionable guidance without significant and often costly elaboration. In a subsequent phase convened in June 2004, the Best Practices and Metrics teams was charged with refining Information Security Program Elements and developing recommended Metrics supporting each of the elements. This report is the result of that effort and represents a resource that will help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security.

Evaluating Computer-Related Incidents on Campus

Tue, 26 Oct 2004 20:16:27 +0000

The CIFAC Project looks at current trends in how incidents are discussed, categorized, and managed.

EDUCAUSE | Security Metrics

IT Service Metrics 101

Metrics 201: Benchmarking and Security Metrics

Benchmarking Security Data with the Redesigned EDUCAUSE Core Data Service

Measuring Security Awareness as a Metric

A Guide to Security Metrics

Directions in Security Metrics Research

Cybersecurity: When Will We Know If What We Are Doing Is Working?

Building a Cybersecurity Operations Center

Consensus Audit Guidelines Version 1.0 Released

Building a Security Program to Include Metrics

Recommended Reading

Security Metrics: A Solution in Search of a Problem

Cybersecurity Research Challenges

Incident Management Capability Metrics

Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI - Book Review

A Few Good Metrics

A Guide to Security Metrics

Guide for Developing Performance Metrics for Information Security: Recommendations of the National Institute of Standards and Technology

Incident Tracking and Reporting

Effective Security Metrics

Security Assessments in an Academic Environment

Addressing Information Security Risk

Security Assessments for Information Technology

Corporate Information Security Working Group:

Evaluating Computer-Related Incidents on Campus