ASIS News: Studies on Metrics and the Size of the Security Industry

By Ann Longmore-Etheridge

01 June 2014

Print Issue: June 2014

Panel Discusses U.S. Security Industry

Not since Hallcrest II was published in 1990 have there been comprehensive statistics on the size of the United States security industry. That changed in 2013, when ASIS International and the Institute of Finance and Management (IOFM) joined forces to draft a report documenting the industry’s development. A panel presentation at the ASIS 24th New York City Security Conference and Expo on March 14 updated those numbers for 2014 and beyond in a sneak preview of the second edition of the report, titled The U.S. Security Industry: Size and Scope, Insights, Trends, and Data.

U.S. spending on security goods and services for 2013 amounted to $388 billion, according to Michael Gips, ASIS vice president of publishing and a report coauthor. Private sector companies spent $319 billion of that amount, with the rest coming from federal homeland security spending. In 2014, the private sector will spend $341 billion, rising to $377 billion by 2015. About one-third of that spending is earmarked for IT security, while the rest goes to “operational security.” Gips explained that operational security covers physical security plus other non-IT aspects of security, including intelligence, antifraud measures, investigations, and threat detection.

Driving up operational security numbers was a healthy growth in sales of CCTV and surveillance products. One-third of respondents said they would increase spending on surveillance in 2014 and 2015, with a median increase in spending of 20 percent. Other growth areas were IT security software and security consulting services. In the latter case, 26 percent said they would increase spending on consultants by an average of 31.5 percent.

Gips also noted the increase in U.S. full-time security professionals. In 2014, that number is pushing 2.7 million, with some 900,000 in IT security. Near-term growth in jobs will be propelled by IT security demands, he said.

Moderator R. D. Whitney, executive director of IOFM and another coauthor of the report, explained that this report and research effort are not a one-time initiative but represent the start of an ongoing effort to collect additional accurate data on the industry. He encouraged session attendees to participate in this research if they are solicited by ASIS or IOFM. The 2014 report reflects the responses of almost 500 participants, he noted.

GROUNDBREAKING METRICS STUDY COMPLETED

The ASIS International Foundation Research Committee and the ASIS Defense and Intelligence Council have completed a comprehensive study on the development and implementation of psychometrically-based measurement focused on the security industry.

The security industry relies on measuring performance and efficiency in every aspect of the profession. Security metrics are quantifiable measurements of an aspect of a system or enterprise, collected and analyzed to help an organization protect its people, property, and information. Using various metrics, security can measure results that correlate with investment and speak to leadership in familiar business language.

Metrics drive business decisions and behavior. They influence process assessment and controls, business policies, collaboration for enterprisewide benefits, business investment decisions, and strategic and profit center alignment. With proper design and implementation, both security professionals and corporate management can develop security metrics into a readily accessible dashboard. If poorly designed, security metrics may be perceived as unnecessary and a drain to corporate profits.

After a review of existing metrics used in the industry, the Foundation study found that:

Descriptions of existing security metrics are generally vague, making it difficult to adopt them; the focus is more on counting events rather than meaningful, risk-based metrics.
Strategies for communicating metrics are general and may be hard to implement.
Typically, evaluation criteria are only presented at a conceptual level within the security literature without explicit definitions.
Few examples of empirically sound metrics (with statistical justification and evidence) are present within the security literature.

The development of the Security Metrics Evaluation Tool (Security MET) would address these limitations.

Developing a useful tool required support from the ASIS community using surveys, interviews, and expert and advisory panels. The completed design can be used to either improve and evaluate existing metrics or create new measures.

The Security Metrics Evaluation Tool (MET) is divided into three parts. The first considers the measurement principles of reliability, validity, and generalizability. A reliable metric captures data not affected by outside effects such as time or weather. Validity means that the metric measures what you want to measure. A good metric should be able to be used across the organization to measure similar events.

The second part focuses on developing a metric that supports the operational aspects of the security function. Practitioners must consider whether the data is collected in a timely enough fashion to be of practical use by the organization. The data collected must also minimize the possibility of manipulation and biased information.

Last is the strategic value. Any metric should show support for a return on investment in security and demonstrate organizational relevance. Security professionals must also clearly communicate the value of the metric to senior executives.

The complete study and Security MET will be provided this fall to ASIS members.