Great tutorial on Information Security Program Metrics

While reading a blog posting this morning I came across a great set of slides called "Measuring Security."

Slide 15 nails what are the questions security programs should answer on the head...
How secure am I?
Am I better off than this time last year?
Am I spending the right amount of money?
How do I compare to my peers?
What risk transfer options do I have?

Slide 36 has a great quote on "Risk Management"
The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcomes and the linkage between effect and cause is hidden from us.

The next 300 slides is a ton of background detail...overkill until your really ready to dig in. I would simply recommend for now jumping to slide 402 to get to the punchline; here are some of the recommended metrics:

• Cost of security per transaction
• DoS and other attack downtimes
• Data flow per transaction & per source
• Budget correlation with risk measures
• Comparison with like firms
• Percentage of critical systems under DR plan
• Percentage of systems obeying ______ policy
• MTBF & MTTR for security incidents
• Number of security team consultations
• Latency to obey ______ change orders
• Percentage of job reviews involving security
• Percentage of security workers with training
• Ratio of b.u. security staff to central staff
• New system timely security consultations
• Percentage of programs with budgeted security
• Percentage of SLAs with security standards
• Percentage of tested external-facing applications
• Number of non-employees with access
• Percentage of data secure-by-default
• Percentage of customer data outside data center

Where all this detail is extremely important, the beautiful thing about what Securityworks offers is it has built a method to normalize any/all metrics into a single score. Think of it as your grade point average where you then have the ability to drill-down from the top and see how your doing for each subject, on each test, homework assignment, etc.