SlideShare ist ein Scribd-Unternehmen logo

A Security Metrics Story: Turning Data into Metrics

Security Executive Council
Security Executive Council

A step-by-step guide on how to build your security metrics program. Demonstrate security’s value through clear alignment with business strategy and objectives.

BusinessTechnologie
1 von 17
Downloaden Sie, um offline zu lesen
A Security Metrics Story: Turning Data into Metrics George Campbell Emeritus Faculty, Security Executive Council Copyright 2008 Security Executive Council
Key Objectives for Security Metrics  Positively influence action, attitude and policy  Materially impact exposure to specific risks  Demonstrate security’s value through clear alignment with business strategy and objectives  Measure the success of our diverse programs Copyright 2008 Security Executive Council
Some Basic Definitions* *A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002 • Measurements- single point-in-time views of specific factors generated by counting. • Example: Number of life safety vulnerabilities detected by Security Officers on tours • Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis. • Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period Copyright 2008 Security Executive Council
What do You Want to do With Your Metrics? • Report on Risk • Risk Awareness in Business Units • Reveal Lessons-Learned from Incidents • Track Trends • Track Program Performance • Measure Security’s Influence • Measure Security’s Value • Security Overview-A Report to Management • Other message or report? Copyright 2008 Security Executive Council
Fundamental Requirement: Good Data! “Good” = – Timely incident & investigation reports competently prepared and reviewed by security management – Content of reports, logs and other data sources are valid, accurate and reliable – A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint – A data analysis process that enables and provides assurance of verifiable conclusions – Clear ownership and accountability for data reliability – Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure Copyright 2008 Security Executive Council
What Types of Actionable Metrics? “There are three kinds of lies: Lies, damn lies and statistics.” Trends: external Lessons-learned Your Business Accountability and internal risk case results, defect Plan: program the diligence of line factors targeted by reduction, crisis after- performance business unit security programs action reviews against managers to quantifiable protect against Change: The “hygiene” objectives known risks relationship of security programs of the firm: Performance Security’s to an improved business conduct, measurement of effectiveness state of risk continuity, integrity, staff, vendors, etc. rated by customers management incident rates, etc. Value: Contributions to Project status: Standards & execution of the Risk management, schedules, budget Benchmarks: cycle times, cost business mission burn rates, results Us vs. best to plan, etc. practices & peers mgt. ROI, etc. and strategy Copyright 2008 Security Executive Council
Moving From an Incident Trend to Metrics  Look at the next several slides. You will see four distinct processes related to incident analysis. Each step involves some form of assessment, measurement and consideration of related metrics.  More importantly, looking at risk this way helps form a more reliable assessment of root causes and the success of the revised security measures we propose to take. Copyright 2008 Security Executive Council
Moving From an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents We begin with the area of risk we are concerned about. In this example, we have noted a disturbing trend of more frequent workplace violence incidents at a particular location. Metrics are embedded in the incident reports. For example: • Frequency? • Location? • Time? • Contributing conditions or circumstances? • Apparent cause? • Failed business process? • What was the business impact? • What are the characteristics of persons involved? Is the likely perpetrator an insider or outsider? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Increases in frequency and severity of workplace violence incidents Risk Security not For past year 42% Post mortems Indicate 34% on night informed by HR Contributing Involved spousal poor coordination & shift involved of pending Vulnerabilities conflicts with training of HR & alcohol terminations restraining orders Security personnel What gaps in our security program may be contributing to this increase in frequency and severity of workplace violence incidents? When we have competent investigations with good incident reports we should drill down with a lessons-learned process that will reveal real causes rather than symptoms. Metrics are embedded in our findings regarding apparent vulnerabilities or failed security measures that contributed to the incident: • Is there a pattern in your findings that suggests a broader set of risks? • What business processes failed? Which ones should have mitigated risks like these? Who owns them? • What have we learned about the victims and perpetrators? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Security not Contributing 34% on night Involved spousal poor coordination & informed by HR Vulnerabilities shift involved conflicts with training of HR & of pending alcohol restraining orders Security personnel terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented We now have a handle on broken processes and what it will likely take to fix them. Metrics are embedded in the post-incident steps taken to mitigate future incidents of this type: • What specific results are expected of the steps that have been taken? • What will the steps cost? • Who are the stakeholders? • How do we sell the proposed steps? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Contributing 34% on night Involved spousal poor coordination & Security not Vulnerabilities shift involved conflicts with training of HR & informed by HR alcohol restraining orders Security personnel of pending terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented Increases in % reductions Post mortems Employee Measures % reductions reporting of in workplace show training & surveys show & Metrics in alcohol- restraining violence & intervention improved related cases orders confrontations techniques work safety Metrics are embedded in the results of the risk mitigation activities: • What were the positive or negative results vs. those planned? • What savings Copyright 2008 Security Executive Council or expenses will accrue
Communicating Your Findings Using the data gathered from incident reports and case post-mortems during the past year on workplace violence incidents, we can build a couple of PowerPoint graphics to demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for presentation purposes. The chart utility is fairly easy to use and offers a lot of chart types and ability to play with content, appearance and analytical options such as trend analysis. Each of the following two slides may be used in a variety of opportunities: - Advise top management on risk mitigation activities - Demonstrate the effectiveness of a new or revised security measure - Demonstrate value by reducing potentially costly litigation and reputational risk - Engage and raise targeted business unit awareness of potential risk - Modify a business process for increased safety and productivity - Meet legal obligations for safe & secure workplaces - Contribute to improved employee morale - Celebrate an important collaboration Investigative post mortems are especially effective in developing the data for a briefing on this topic. What was learned, what have we done to prevent similar occurrences in the future, what were the outcomes for victims, employees and perpetrators? Copyright 2008 Security Executive Council
Example: From our incident data base, we can construct an overall view of workplace violence for the current year: Internal Threat Termination Assistance Employee Conduct Ex-employee Conduct External Threat Domestic Violence (64% with restraining orders) Hostile Visitor Disgruntled Customer On site Telephone Threats* Mail Threats to Co. Bomb Threats 0 10 20 30 40 50 60 70 80 90 100 * Not bomb Copyright 2008 Security Executive Council 13
Cumulative Impact of Steps Taken to Mitigate Workplace Violence at Assembly Plant # 4 100.0 80.0 60.0 40.0 20.0 0.0 -20.0 -40.0 -60.0 -80.0 -100.0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr % Increase/Decrease in alcohol-related workplace violence incidents % Increase/Decrease in successful intervention since manager training % Increase/Decrease in voluntary reporting of restraining orders % Increase/Decrease in coordinated Security/HR interaction Copyright 2008 Security Executive Council
Summary • We own a unique database of business performance measures and metrics • Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior • Our programs can materially contribute to corporate health and profitability • We have an obligation to inform, educate and eliminate plausible denial • We need to graphically demonstrate to management how we are probing the weak spots and influencing change Copyright 2008 Security Executive Council
Where to Find More on Security Metrics To learn more about the Security Executive Council and security metrics, go to www.securityexecutivecouncil.com. Portions of this presentation are from: Measures and Metrics in Corporate Security Copyright 2008 Security Executive Council
George K. Campbell George is currently a member of the Emeritus Faculty of the Security Executive Council and a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under George’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 George owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies. He is a frequent contributor to professional security journals and seminars and is the author of Measures and Metrics in Corporate Security published in 2005 by the Security Executive Council. George received his baccalaureate degree (Police Administration) from American University, Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. George is a member the American Society for Industrial Security since 1978. He is an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former member of the High Technology Crime Investigation Association and the Association of Certified Fraud Examiners. Copyright 2008 Security Executive Council

Empfohlen

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 
Security officer kpi
Security officer kpiSecurity officer kpi
Security officer kpijomrichsa
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Fabricacion rueda2
Fabricacion rueda2Fabricacion rueda2
Fabricacion rueda2pokefanstudios
 
Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate securityPLN9 Security Services Pvt. Ltd.
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 

Empfohlen

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 
Security officer kpi
Security officer kpiSecurity officer kpi
Security officer kpijomrichsa
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Fabricacion rueda2
Fabricacion rueda2Fabricacion rueda2
Fabricacion rueda2pokefanstudios
 
Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate securityPLN9 Security Services Pvt. Ltd.
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityPLN9 Security Services Pvt. Ltd.
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...InnoTech
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Security officer performance appraisal
Security officer performance appraisalSecurity officer performance appraisal
Security officer performance appraisaltaylorshannon964
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...lizamodels9
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Sheetaleventcompany
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 

Weitere ähnliche Inhalte

Andere mochten auch

Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...InnoTech
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Security officer performance appraisal
Security officer performance appraisalSecurity officer performance appraisal
Security officer performance appraisaltaylorshannon964
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 

Andere mochten auch (7)

Physical Security
Physical SecurityPhysical Security
Physical Security
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
 
Security officer performance appraisal
Security officer performance appraisalSecurity officer performance appraisal
Security officer performance appraisal
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 

Kürzlich hochgeladen

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...lizamodels9
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Sheetaleventcompany
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Sheetaleventcompany
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 

Kürzlich hochgeladen (20)

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 

A Security Metrics Story: Turning Data into Metrics

  • 1. A Security Metrics Story: Turning Data into Metrics George Campbell Emeritus Faculty, Security Executive Council Copyright 2008 Security Executive Council
  • 2. Key Objectives for Security Metrics  Positively influence action, attitude and policy  Materially impact exposure to specific risks  Demonstrate security’s value through clear alignment with business strategy and objectives  Measure the success of our diverse programs Copyright 2008 Security Executive Council
  • 3. Some Basic Definitions* *A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002 • Measurements- single point-in-time views of specific factors generated by counting. • Example: Number of life safety vulnerabilities detected by Security Officers on tours • Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis. • Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period Copyright 2008 Security Executive Council
  • 4. What do You Want to do With Your Metrics? • Report on Risk • Risk Awareness in Business Units • Reveal Lessons-Learned from Incidents • Track Trends • Track Program Performance • Measure Security’s Influence • Measure Security’s Value • Security Overview-A Report to Management • Other message or report? Copyright 2008 Security Executive Council
  • 5. Fundamental Requirement: Good Data! “Good” = – Timely incident & investigation reports competently prepared and reviewed by security management – Content of reports, logs and other data sources are valid, accurate and reliable – A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint – A data analysis process that enables and provides assurance of verifiable conclusions – Clear ownership and accountability for data reliability – Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure Copyright 2008 Security Executive Council
  • 6. What Types of Actionable Metrics? “There are three kinds of lies: Lies, damn lies and statistics.” Trends: external Lessons-learned Your Business Accountability and internal risk case results, defect Plan: program the diligence of line factors targeted by reduction, crisis after- performance business unit security programs action reviews against managers to quantifiable protect against Change: The “hygiene” objectives known risks relationship of security programs of the firm: Performance Security’s to an improved business conduct, measurement of effectiveness state of risk continuity, integrity, staff, vendors, etc. rated by customers management incident rates, etc. Value: Contributions to Project status: Standards & execution of the Risk management, schedules, budget Benchmarks: cycle times, cost business mission burn rates, results Us vs. best to plan, etc. practices & peers mgt. ROI, etc. and strategy Copyright 2008 Security Executive Council
  • 7. Moving From an Incident Trend to Metrics  Look at the next several slides. You will see four distinct processes related to incident analysis. Each step involves some form of assessment, measurement and consideration of related metrics.  More importantly, looking at risk this way helps form a more reliable assessment of root causes and the success of the revised security measures we propose to take. Copyright 2008 Security Executive Council
  • 8. Moving From an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents We begin with the area of risk we are concerned about. In this example, we have noted a disturbing trend of more frequent workplace violence incidents at a particular location. Metrics are embedded in the incident reports. For example: • Frequency? • Location? • Time? • Contributing conditions or circumstances? • Apparent cause? • Failed business process? • What was the business impact? • What are the characteristics of persons involved? Is the likely perpetrator an insider or outsider? Copyright 2008 Security Executive Council
  • 9. Moving from an Incident Trend to Metrics Area of Increases in frequency and severity of workplace violence incidents Risk Security not For past year 42% Post mortems Indicate 34% on night informed by HR Contributing Involved spousal poor coordination & shift involved of pending Vulnerabilities conflicts with training of HR & alcohol terminations restraining orders Security personnel What gaps in our security program may be contributing to this increase in frequency and severity of workplace violence incidents? When we have competent investigations with good incident reports we should drill down with a lessons-learned process that will reveal real causes rather than symptoms. Metrics are embedded in our findings regarding apparent vulnerabilities or failed security measures that contributed to the incident: • Is there a pattern in your findings that suggests a broader set of risks? • What business processes failed? Which ones should have mitigated risks like these? Who owns them? • What have we learned about the victims and perpetrators? Copyright 2008 Security Executive Council
  • 10. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Security not Contributing 34% on night Involved spousal poor coordination & informed by HR Vulnerabilities shift involved conflicts with training of HR & of pending alcohol restraining orders Security personnel terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented We now have a handle on broken processes and what it will likely take to fix them. Metrics are embedded in the post-incident steps taken to mitigate future incidents of this type: • What specific results are expected of the steps that have been taken? • What will the steps cost? • Who are the stakeholders? • How do we sell the proposed steps? Copyright 2008 Security Executive Council
  • 11. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Contributing 34% on night Involved spousal poor coordination & Security not Vulnerabilities shift involved conflicts with training of HR & informed by HR alcohol restraining orders Security personnel of pending terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented Increases in % reductions Post mortems Employee Measures % reductions reporting of in workplace show training & surveys show & Metrics in alcohol- restraining violence & intervention improved related cases orders confrontations techniques work safety Metrics are embedded in the results of the risk mitigation activities: • What were the positive or negative results vs. those planned? • What savings Copyright 2008 Security Executive Council or expenses will accrue
  • 12. Communicating Your Findings Using the data gathered from incident reports and case post-mortems during the past year on workplace violence incidents, we can build a couple of PowerPoint graphics to demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for presentation purposes. The chart utility is fairly easy to use and offers a lot of chart types and ability to play with content, appearance and analytical options such as trend analysis. Each of the following two slides may be used in a variety of opportunities: - Advise top management on risk mitigation activities - Demonstrate the effectiveness of a new or revised security measure - Demonstrate value by reducing potentially costly litigation and reputational risk - Engage and raise targeted business unit awareness of potential risk - Modify a business process for increased safety and productivity - Meet legal obligations for safe & secure workplaces - Contribute to improved employee morale - Celebrate an important collaboration Investigative post mortems are especially effective in developing the data for a briefing on this topic. What was learned, what have we done to prevent similar occurrences in the future, what were the outcomes for victims, employees and perpetrators? Copyright 2008 Security Executive Council
  • 13. Example: From our incident data base, we can construct an overall view of workplace violence for the current year: Internal Threat Termination Assistance Employee Conduct Ex-employee Conduct External Threat Domestic Violence (64% with restraining orders) Hostile Visitor Disgruntled Customer On site Telephone Threats* Mail Threats to Co. Bomb Threats 0 10 20 30 40 50 60 70 80 90 100 * Not bomb Copyright 2008 Security Executive Council 13
  • 14. Cumulative Impact of Steps Taken to Mitigate Workplace Violence at Assembly Plant # 4 100.0 80.0 60.0 40.0 20.0 0.0 -20.0 -40.0 -60.0 -80.0 -100.0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr % Increase/Decrease in alcohol-related workplace violence incidents % Increase/Decrease in successful intervention since manager training % Increase/Decrease in voluntary reporting of restraining orders % Increase/Decrease in coordinated Security/HR interaction Copyright 2008 Security Executive Council
  • 15. Summary • We own a unique database of business performance measures and metrics • Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior • Our programs can materially contribute to corporate health and profitability • We have an obligation to inform, educate and eliminate plausible denial • We need to graphically demonstrate to management how we are probing the weak spots and influencing change Copyright 2008 Security Executive Council
  • 16. Where to Find More on Security Metrics To learn more about the Security Executive Council and security metrics, go to www.securityexecutivecouncil.com. Portions of this presentation are from: Measures and Metrics in Corporate Security Copyright 2008 Security Executive Council
  • 17. George K. Campbell George is currently a member of the Emeritus Faculty of the Security Executive Council and a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under George’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 George owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies. He is a frequent contributor to professional security journals and seminars and is the author of Measures and Metrics in Corporate Security published in 2005 by the Security Executive Council. George received his baccalaureate degree (Police Administration) from American University, Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. George is a member the American Society for Industrial Security since 1978. He is an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former member of the High Technology Crime Investigation Association and the Association of Certified Fraud Examiners. Copyright 2008 Security Executive Council