Reporting
According to Coelho (2007), a threat is any event that, if realized, can cause damage to a system and create a loss of confidentiality, availability, or integrity. The goal of any security program is to mitigate the risk posed by a threat and understand what risk level an organization can tolerate. Risk and security metrics should be designed to control risk level and prevent future threats. An example of a security metric is the False Positive Reporting Rate (FPRR), a reporting metric that provides indicators of compromise before management escalates resources and efforts in the response team (Linkov, 2013), it shows patch latency and how efficiently security …show more content…
Business leaders use return-on-investment (ROI) to understand whether security controls are effective. This requires that managers know the risk before and after the implementation of security measures, and the remaining value of organization's assets will influence how security manager convince stakeholders about his or her proposal. Ryan and Ryan (2008) explains how one should analyze risk and threat: Risk analysis and risk management ought to be based on quantitative performance metrics that inform cost-benefit analyses and return-on-investment (ROI) calculations, thereby enabling defensible management decisions concerning information security. Chief Information Security Officer can show accountability and receive top-management support by offering the CEO, CFO, and board of director visibility into the spending process by showcasing the percentage of strategic IT security projects completed on time and on budget. This ensures that security program aligns with business and organizational strategy, while delivering ever-increasing values to the executive …show more content…
Ryan and Ryan (2008) suggests that security incidents are multifaceted problems, a correlation relationship serves between metrics and security incidents. For example, a metric that collects the number of outgoing unprotected emails sent out by employees from Data Loss Prevent (DLS) can be analyzed in several ways. First, an unacceptably large number of outgoing traffic on a sustainable daily basis could indicate the lack of education in handling customer confidential information. Second, manager can confirm the presumption that employees need more trainings through security awareness metrics. Third, employee's misconduct may contribute to only part of the incident, a back-end problem could also lead to transmitting unencrypted data. Formal and regular examination of whether metrics indicate progress towards each objective and whether additional measurements needed for each metric. By utilizing all of the resources available without affecting business operations. Security effectiveness is measured by different framework, rather than a list of