Security Metrics

Welcome to Security Spotlight, a monthly feature highlighting ASIS resources on specific topics in security management. This includes information free to all practitioners, as well as select members-only content.

Not a member? Join now and gain access to all ASIS resources, including information, education, networking, and more.

A business metric is a quantifiable measurement used to track and assess the performance of a business as a whole or a specific business process. Security metrics are no different. At one time, security metrics mainly tracked events, processes, and workload. Today, however, security metrics must be collected, analyzed, reviewed, and communicated in a way that fits into an organization’s overall business strategy.

The following resources will help security professionals understand what security metrics are being collected, how they are being used, and how to incorporate them into a business plan.

Free Resources

Metrics that Score with Your Boss

Seminar Session Recording

Log in to view the free ASIS Seminar session.This video, The Security Metrics Challenge, available for both members and nonmembers, was recorded at a recent Annual Seminar and Exhibits.  Five top-level security professionals discuss how they use metrics in their organizations. The list of speakers represented the U.S. Air Force, the Defense Intelligence Agency, Northrop Grumman, BAE Systems, Boeing, and General Dynamics.

All five find their approach to using metrics in the C-suite is driven by risk management—assessing the potential for risk, plotting potential stress points, and giving warnings before the bad news hits. Examples of these types of risks include cyber threats, data breaches, and physical threats. The metrics included in this type of presentation must be targeted to provide a risk profile for decision making, including countermeasures and mitigation alternatives. The approach should include elements that the boss wants to know or is unaware off, including what needs to change.

Using Security Metrics to Persuade Management

Our second resource, also available free for both members and nonmembers, is an ASIS Foundation report on Persuading Senior Management with Effective, Evaluated Security Metrics. The report, based upon findings from the Security Metrics Survey listed below, includes:

  • The Security Metrics Evaluation Tool (Security MET), which security professionals can self-administer to develop, evaluate, and improve security metrics
  • A library of metric descriptions, each evaluated according to the Security MET criteria
  • Guidelines for effective use of security metrics to inform and persuade senior management with an emphasis on organizational risk and return on investment

 Featured Resource

These featured resources are available free for ASIS members and nonmembers. (Guest login required for nonmembers.)

Member-only Resources

Security Metrics Survey

The ASIS Leadership and Management Practices Council surveyed security managers to identify how they were using metrics in their organizations. Of the 290 respondents, the majority said they are collecting metrics.

The survey’s designers conclude that “the security organization needs to be value centered, not just a cost center,” and the onus is on the security professional to measure what is relevant to their organizations and ensure that the results reach the C-suite. 

The survey’s findings have formed the basis of the ASIS Foundation's Persuading Senior Management with Effective, Evaluated Security Metrics.

Developing a Business Case

Security metrics form the core of a well-thought-out business plan, but top corporate executives must be approached with a document that they can review and absorb quickly. A presentation that expects them to fumble through pages of charts to find key points is likely to receive short shrift. The answer is to assemble a presentation in a format they have seen many times: the professional business case.

As outlined in the third highlighted resource, the tone of a business case should be professional, understandable, accurate, and strategic, setting forth desired business outcomes, quantifiable values and benefits, costs versus risks, and return on investment. Its elements are fairly standard and usually include eight parts. The ASIS Leadership and Management Practices Council developed this guide.    


 Attending ASIS 2014?

Join us at the 60th Annual Seminar and Exhibits for a related session: Security Metrics: Leveraging Performance Measures to Gain Efficiencies and Demonstrate Return on Investment.

Learn, discuss, and network with both colleagues and experts on security metrics (and much more!) at ASIS 2014 in Atlanta, Georgia.

Why Metrics are Important

​A mantra frequently used by management gurus holds that “what gets measured gets done.” Just as all business expenditures, security investments require a metrics-based justification in the boardroom. Security managers who want to procure the funding they need must justify that spending. To be effective, security metrics should be in line with business objectives. Used in this context, security metrics allow business leaders to act on the information they are viewing.

Learn More

The resources available through ASIS provide a pathway to tailoring security metrics to specific business sectors and audiences. Illustrations, how-tos, and formulas for establishing security metrics are all available through ASIS white papers, articles, books, workshops, webinars, and research. Start exploring!

Next month’s feature topic: K-12 Security.