Measuring security is very much a practical matter. It is important for an organization to understand the efficiency, effectiveness, and overall value in order to make decisions which lead to an optimal level of security.
History tells a tale
The industry has been witness to a recurring pattern. As companies begin to focus on security concerns the need to measure and understand the value proposition becomes increasingly important to make good business decisions. Many organizations jump into security based upon fears, uncertainty, and doubt (FUD) without the benefit of security value measurements. In classic knee-jerk reaction, some companies initially poured money into security programs and only when the dust settled did they begin to ask about the actual value and cost effectiveness of sustaining operations. As reality sets in they begin to ask, did this make a difference? Did I do too much? Why is the sustaining cost so high?
The maturity cycle takes over and the tough questions lead to the understanding they are not seeking a state of perfect security, rather a balance. Having sufficient security to insure zero negative impact from threats would be wildly expensive and most likely impossible. Too little security can allow unacceptable business impact and losses. So their must be a sweet-spot. This is where security metrics come into play, to help find the right balance and help leaders make the right decisions to attain it.
What is value?
We all know what value is, right? A quick check in the Encarta Dictionary will return:"the worth, importance, or usefulness of something to somebody". It is not limited to dollars or rate of return or some other finite indicator. In reality, it can be the absence of discomfort, compliance to regulation, satisfaction of key people, uptime, ability to seize opportunities, something tied to emotions, etc. Those who only seek to put a dollar sign on security value are missing the boat. Don't get caught in that tar pit. It will limit your visibility and undermine the accuracy of any analysis.
Who are these people and what are they asking for?
It may seem, to those in the security world, everybody wants to know the value. But it is more complex than that. Everybody wants it expressed in a different way, their way. Talk to a finance analyst and they will be demanding NPV (Net Present Value) or IRR (Internal Rate of Return) numbers. The friendly business analyst will prefer the *BV *(Business Value). The efficiency manager will be firm on CB and CE (Cost Benefit/Efficiency) ratios, while the product and service managers hold to the trusty ROI (Return On Investment) model. Savvy senior managers know to ask for overall ROSI (Return On Security Investment) numbers while mid-level operations folks live and die by the MTTR (Mean Time To Repair) and MTBF (Mean Time Before Failure) metrics. The list goes on, as auditors, compliance, corporate purchasing, etc. each has their preferred vernacular. Even the security researchers will tend to lean towards their expertise. It is easy to recognize those who have an economics, mathematics, and operations background, as they express their ideas in ways relative to those disciplines.
My advice is to ignore these people and their fancy acronyms. Express value in the most applicable and accurate way possible for the circumstance. It is hard enough just to do that! Keep it practical, keep it real.