A step-by-step guide on how to build your security metrics program. Demonstrate security’s value through clear alignment with business strategy and objectives.
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
A Security Metrics Story:Turning Data into Metrics
1. A Security Metrics Story:
Turning Data into Metrics
George Campbell
Emeritus Faculty, Security Executive Council
Copyright 2008 Security Executive Council
2. Key Objectives for Security Metrics
Positively influence action, attitude and policy
Materially impact exposure to specific risks
Demonstrate security’s value through clear
alignment with business strategy and
objectives
Measure the success of our diverse programs
Copyright 2008 Security Executive Council
3. Some Basic Definitions*
*A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002
• Measurements- single point-in-time views of specific
factors generated by counting.
• Example: Number of life safety vulnerabilities
detected by Security Officers on tours
• Metrics- comparing a pre-determined baseline of two
or more measurements taken over time generated
from analysis.
• Example: Change in number of life safety
vulnerabilities detected by Security Officers on
tours since last reporting period
Copyright 2008 Security Executive Council
4. What do You Want to do
With Your Metrics?
• Report on Risk
• Risk Awareness in Business Units
• Reveal Lessons-Learned from Incidents
• Track Trends
• Track Program Performance
• Measure Security’s Influence
• Measure Security’s Value
• Security Overview-A Report to Management
• Other message or report?
Copyright 2008 Security Executive Council
5. Fundamental Requirement:
Good Data!
“Good” =
– Timely incident & investigation reports competently prepared and
reviewed by security management
– Content of reports, logs and other data sources are valid, accurate
and reliable
– A platform that enables enterprise-wide data entry from all sources
of incident and event data, query for trends, analytical searching
and interface with tools such as Microsoft Excel and PowerPoint
– A data analysis process that enables and provides assurance of
verifiable conclusions
– Clear ownership and accountability for data reliability
– Regardless of source, it must be quantifiable, repeatable (for
trending), obtainable and feasible to measure
Copyright 2008 Security Executive Council
6. What Types of Actionable Metrics?
“There are three kinds of lies: Lies, damn lies and statistics.”
Trends: external Lessons-learned Your Business Accountability
and internal risk case results, defect Plan: program the diligence of line
factors targeted by reduction, crisis after- performance business unit
security programs action reviews against managers to
quantifiable protect against
Change: The “hygiene” objectives known risks
relationship of
security programs of the firm: Performance Security’s
to an improved business conduct, measurement of effectiveness
state of risk continuity, integrity, staff, vendors, etc. rated by customers
management incident rates, etc.
Value: Contributions to
Project status: Standards & execution of the
Risk management,
schedules, budget Benchmarks: cycle times, cost business mission
burn rates, results Us vs. best
to plan, etc. practices & peers
mgt. ROI, etc. and strategy
Copyright 2008 Security Executive Council
7. Moving From an Incident Trend
to Metrics
Look at the next several slides. You will see four
distinct processes related to incident analysis. Each
step involves some form of assessment, measurement
and consideration of related metrics.
More importantly, looking at risk this way helps form a
more reliable assessment of root causes and the
success of the revised security measures we propose to
take.
Copyright 2008 Security Executive Council
8. Moving From an Incident Trend to Metrics
Area of
Risk Increases in frequency and severity of workplace violence incidents
We begin with the area of risk we are concerned about. In this example, we
have noted a disturbing trend of more frequent workplace violence incidents
at a particular location. Metrics are embedded in the incident reports. For
example:
• Frequency?
• Location?
• Time?
• Contributing conditions or circumstances?
• Apparent cause?
• Failed business process?
• What was the business impact?
• What are the characteristics of persons involved? Is the likely
perpetrator an insider or outsider?
Copyright 2008 Security Executive Council
9. Moving from an Incident Trend to Metrics
Area of Increases in frequency and severity of workplace violence incidents
Risk
Security not
For past year 42% Post mortems Indicate
34% on night informed by HR
Contributing Involved spousal poor coordination &
shift involved of pending
Vulnerabilities conflicts with training of HR &
alcohol terminations
restraining orders Security personnel
What gaps in our security program may be contributing to this increase in
frequency and severity of workplace violence incidents? When we have
competent investigations with good incident reports we should drill down
with a lessons-learned process that will reveal real causes rather than
symptoms. Metrics are embedded in our findings regarding apparent
vulnerabilities or failed security measures that contributed to the incident:
• Is there a pattern in your findings that suggests a broader set of risks?
• What business processes failed? Which ones should have mitigated
risks like these? Who owns them?
• What have we learned about the victims and perpetrators?
Copyright 2008 Security Executive Council
10. Moving from an Incident
Trend to Metrics
Area of
Risk Increases in frequency and severity of workplace violence incidents
For past year 42% Post mortems Indicate Security not
Contributing 34% on night
Involved spousal poor coordination & informed by HR
Vulnerabilities shift involved
conflicts with training of HR & of pending
alcohol
restraining orders Security personnel terminations
New policies 1st line supervisors HR/Security Workplace
on restraining receive managing Intervention violence protocols
Mitigating orders & no aggressive Team formed & & training
Actions alcohol on site behavior training trained implemented
We now have a handle on broken processes and what it will likely take to fix
them. Metrics are embedded in the post-incident steps taken to mitigate
future incidents of this type:
• What specific results are expected of the steps that have been taken?
• What will the steps cost?
• Who are the stakeholders?
• How do we sell the proposed steps?
Copyright 2008 Security Executive Council
11. Moving from an Incident
Trend to Metrics
Area of
Risk Increases in frequency and severity of workplace violence incidents
For past year 42% Post mortems Indicate
Contributing 34% on night
Involved spousal poor coordination & Security not
Vulnerabilities shift involved
conflicts with training of HR & informed by HR
alcohol
restraining orders Security personnel of pending
terminations
New policies 1st line supervisors HR/Security Workplace
on restraining receive managing Intervention violence protocols
Mitigating orders & no aggressive Team formed & & training
Actions alcohol on site behavior training trained implemented
Increases in % reductions Post mortems Employee
Measures % reductions
reporting of in workplace show training & surveys show
& Metrics in alcohol-
restraining violence & intervention improved
related cases
orders confrontations techniques work safety
Metrics are embedded in the results of the risk mitigation activities:
• What were the positive or negative results vs. those planned?
• What savings Copyright 2008 Security Executive Council
or expenses will accrue
12. Communicating Your Findings
Using the data gathered from incident reports and case post-mortems during the past
year on workplace violence incidents, we can build a couple of PowerPoint graphics to
demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for
presentation purposes. The chart utility is fairly easy to use and offers a lot of chart
types and ability to play with content, appearance and analytical options such as trend
analysis.
Each of the following two slides may be used in a variety of opportunities:
- Advise top management on risk mitigation activities
- Demonstrate the effectiveness of a new or revised security measure
- Demonstrate value by reducing potentially costly litigation and reputational risk
- Engage and raise targeted business unit awareness of potential risk
- Modify a business process for increased safety and productivity
- Meet legal obligations for safe & secure workplaces
- Contribute to improved employee morale
- Celebrate an important collaboration
Investigative post mortems are especially effective in developing the data for a briefing
on this topic. What was learned, what have we done to prevent similar occurrences in
the future, what were the outcomes for victims, employees and perpetrators?
Copyright 2008 Security Executive Council
13. Example: From our incident data base, we can construct an
overall view of workplace violence for the current year:
Internal Threat
Termination Assistance
Employee Conduct
Ex-employee Conduct
External Threat
Domestic Violence (64% with restraining orders)
Hostile Visitor
Disgruntled Customer
On site
Telephone Threats*
Mail Threats to Co.
Bomb Threats
0 10 20 30 40 50 60 70 80 90 100
* Not bomb Copyright 2008 Security Executive Council 13
14. Cumulative Impact of Steps Taken to Mitigate
Workplace Violence at Assembly Plant # 4
100.0
80.0
60.0
40.0
20.0
0.0
-20.0
-40.0
-60.0
-80.0
-100.0
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
% Increase/Decrease in alcohol-related workplace violence incidents
% Increase/Decrease in successful intervention since manager training
% Increase/Decrease in voluntary reporting of restraining orders
% Increase/Decrease in coordinated Security/HR interaction
Copyright 2008 Security Executive Council
15. Summary
• We own a unique database of business performance measures
and metrics
• Our metrics enable and support a key value proposition: our
ability to positively influence enterprise protection, corporate
policy and behavior
• Our programs can materially contribute to corporate health and
profitability
• We have an obligation to inform, educate and eliminate
plausible denial
• We need to graphically demonstrate to management how we
are probing the weak spots and influencing change
Copyright 2008 Security Executive Council
16. Where to Find More on
Security Metrics
To learn more about the Security Executive Council and security
metrics, go to www.securityexecutivecouncil.com.
Portions of this presentation are from:
Measures and Metrics in Corporate Security
Copyright 2008 Security Executive Council
17. George K. Campbell
George is currently a member of the Emeritus Faculty of the Security Executive Council and a
Managing Partner in the Business Security Advisory Group, a professional security
consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the
world’s largest privately owned financial services firm. Under George’s leadership, the global
corporate security organization delivered a wide range of proprietary services including
information security, disaster recovery planning, background, due diligence and criminal
investigations, fraud prevention, property protection and security system engineering. During
the period 1989-92 George owned his own security-consulting firm and from 1978-89 was
Group Vice President at a system engineering firm supporting worldwide U.S. Government
security programs. His criminal justice career from 1965 to 1978 was spent in various line
and senior management functions within federal, state and local government agencies.
He is a frequent contributor to professional security journals and seminars and is the author of
Measures and Metrics in Corporate Security published in 2005 by the Security Executive
Council.
George received his baccalaureate degree (Police Administration) from American University,
Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the
International Security Management Association from 1998-2003 and as ISMA’s President in
2002-03. George is a member the American Society for Industrial Security since 1978. He is
an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former
member of the High Technology Crime Investigation Association and the Association of
Certified Fraud Examiners.
Copyright 2008 Security Executive Council