Be the first to like this
There is a natural human desire to both not be punished as well as to covet that which thy neighbor has (hence the existence of the well known "thou shalt not…" Commandment). Humans also strongly desire to be rewarded for the accomplishments they make but at the same time would like to be as anonymous as possible. With such diverse characteristics, how could one possibly use something like security metrics to change/channel the right behaviours?
Since the most effective metrics programs have a measurable, reportable resulting action component, the way in which this is carried out must be designed in up-front. Given the limited resources in business units and IT areas, this design should focus on the most critical areas first and shift focus as progress is made in individual KPIs.
To that end, we present an approach that has an element of the medieval gallows (i.e. shame) as well as an element of "keeping up with the Joneses" (i.e. competition) to improve the effectiveness of concrete risk, security & compliance program goals/controls. We will demonstrate real-world improvements made in the area of policy/standard exceptions as well as anti-virus infections and propose other concrete areas organizations of all sizes can work on in 2012 & beyond to drive critical improvements in their programs.