Security Metrics - Measure What Matters - Part 4

Security Metrics - What To Measure: Internal User Activities

For example, Chad Robinson of the Robert Frances Group recommends using these security metrics:

• Attempts to access unauthorized Web site content
• Invalid login attempts
• Storage of unauthorized file content (e.g., audio, video)
• Unauthorized attempts to access controlled resources (e.g., VPN)
• Disclosure of sensitive information
• Data or intellectual property theft
• Unauthorized use of administrator privileges

Examples from Gartner's "Metrics for Information Security Awareness" include:

• Process Improvement Percent of staff who know that the security policy exists
• Percent who have seen or read the security policy
• Percent of individuals tested on the policy (passing and failing)
• Are internal and external security audits showing improvement?
• Attack Resistance Percent of surveyed individuals recognizing a security event scenario
• Percent of surveyed or tested individuals susceptible to social engineering
• Percent of users tested that revealed their password
• Percent of administrators tested that failed an improper password change attempt
• Percent of users activating a test virus
• Efficiency / Effectiveness Percent of security incidents having human behavior as a major factor
• Internal Crunchiness Percent of corporate software, partners, suppliers reviewed for security
• Percent of critical data that is strongly protected
• Percent of critical data not protected according to security standards
• Percent of systems having malware installed / unapproved software installed

These are a good start to get us thinking in the right direction – measuring internal user behaviors.

Security Behaviors Can Be Classed as Good, Bad, or Ugly

Good Security Behavior complies with the letter and spirit of the law, e.g., not releasing non-public information inappropriately or discovering and reporting a security vulnerability.

Bad Security Behavior includes naive mistakes and dangerous tinkering, such as:

• Sharing a password
• Deploying a wireless network gateway that allows non-company personnel to use the company's network
• Setting up a packet spoofing application to test the user's programming ability
• Setting up a network monitoring scanner on the user's PC

Ugly Security Behavior is detrimental misuse or intentional destruction, such as:

• Building a script that disables other users' terminal sessions
• Forging e-mail header information to make it look like someone else sent a message
• Using a file decryption program to discover contents of a file containing trade secrets or sensitive information 
• Intentionally introducing a Trojan horse program into the network

Choosing Security Metrics: Examples and Recommendations

Send us a note if you'd like us to send you a 4-page security awareness metrics handout (pdf) that contains practical details for behavior-based security awareness metrics. This approach divides security behaviors into three categories: good, bad, and ugly. In addition to classifying security-related behaviors, the handout presents specific metrics that can be used and how the measurements may be collected.

This is the fourth part of a four-part series of articles:
Security Awareness Metrics: Measure What Matters