Information Security Metrics: Examples & Overview

Instructor: Alison Gunnels

Alison has a graduate degree in Criminal Justice.

Information security metrics is a powerful measurement system that helps us justify or refute company expenditure. In this lesson, we'll see what it is, and examine two kinds of metrics: quantitative and qualitative.

What are Metrics?

Samantha the Computer Security Manager was having a great day. She'd gotten her budget requests in order, and her new team members were more skilled than expected. One of the new hires, Jonah, was even great at making the slide decks that business seemed to run on. Samantha had reviewed his slide deck for the CEO's board review, and her team's progress was beyond expectations. That is why she was surprised when Tracey, the other new hire, asked for a meeting to discuss and improve the presentation.

Jonah and Samantha sat down around the round table in the Security lab as Tracey prepared to take notes on her laptop. Tracey turned to look at her teammates. 'How do we know we're doing a good job?'

'Because we haven't had any more problems with hackers since we installed patches and anti-malware,' said Jonah.

'Because no one is calling us all the time about viruses and downtime,' said Samantha.

'And both of those are mentioned in the presentation,' said Tracey. 'That's good. How do we know it's worth the cost of the software and labor? How do we know that it's better to spend money on Computer Security than on Quality Assurance? Samantha, you told me the IT Manager wants to hire another developer and buy new database software. We want a new headcount and technical audit training - we're competing for that money. Our presentation talks about progress toward our goals, but it doesn't show how we make a difference to the company. We need to show that we are part of the business, too. We need more metrics.'

Samantha was already nodding. 'We do need more information security metrics - measurement of the return on investing money in our program. Metrics are a valuable way to demonstrate our value to the company. Our presentation shows our goals, but it doesn't relate our work to the company's success. So how do we do that? Ideas?'

Jonah and Tracey stared at each other for a while, then shrugged. Samantha shrugged back. 'That kind of answer is very company specific. So we have some research to do about our own company. I'll check with John, the IT Manager. You two can go review our work plan against company goals for next year. Find out if we can categorize all of our projects into one of those categories.'

Computer Security Metrics That Matter

Tracey and Jonah grabbed a conference room and pulled up the newest presentation on company goals, then positioned another monitor with Jonah's team presentation.

As Jonah looked for a match, Tracey pulled up the latest CEO address on the corporate Intranet. 'Aha! The CEO said he wants profits reinvested into IT to lower operating costs. That is a specific goal. Also, he talks about internal IT support as a specific operating cost to reduce.' She scanned through the text of the speech. 'He wants less downtime on the customer network, and he wants clients with bigger names.'

'We can relate to that,' Jonah responded. 'If Samantha can find out average support costs per hour per incident, we already know how many of those incidents are related to security. We also know how many of those incidents our investments would have prevented. And we know how much we reimburse the customers for network downtime per hour. So the same sort of metrics can be applied. But what about the bigger name clients?'

'I come from a large accounting firm,' said Tracey. 'And we put the audit training in the budget because I told Samantha that we had to have audits if we were going after that business. There is not a cost reduction like the other items, but if we don't get that training….'

'We cannot get that business,' finished Jonah. 'And look - pursuit of big business appears on the list of next year's goals. We definitely have a winner.'

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account