Security metrics maturity model for operational security

Abstract

Information Technology (IT) is continuously evolving at faster rate and enterprises are always trying to keep pace with the changes. So do the threats. As the complexity of IT increase, the unprecedented threat environment and security challenges also have increased multi fold over the years. Security Managers are continuously having challenging task not only protecting their company but also convincing the stakeholders on the security investments. The well informed stakeholder demands higher level transparency, Return on Investment (ROI) and security. Security metrics plays a key role in responding to these demands. However the security metrics alone are not enough but must be substantiated. The stakeholders always question and challenge the metrics provided. They are always skeptical on the numbers shown in metrics. As such, more information is needed to substantiate the metrics claims. Therefore, this research will explore the identification of quality security elements to determine the matured security metrics within operational security environment. The research will categorize the metrics maturity into three types: infant, evolving and matured metrics. The classification is performed by analyzing the quality of a metric through a scorecard and by providing a scoring. Towards the end Security Metrics Maturity Index (SM-Mi) is introduced to label a company on how trustable and confidence on can feel when look into the metrics. The entire classification uses operational security taxonomy for better understanding. The end result of this research will be a guide for the Security Managers to produce a convincing and close to accurate report for C Level management of an organization. This research will look into various studies done on existing measurements and security elements for Security Metrics and produce a method that will portray the maturity of security metrics used in an organization.