Priyanka Aash, profile picture
Uploaded byPriyanka Aash
822 views

Developing useful metrics

This document discusses developing useful metrics for governance, risk management, and compliance programs. It begins by explaining the difference between measures and metrics, and emphasizes tying metrics to business objectives and decisions. A 5-step GQIM process is introduced for deriving metrics from objectives: identifying goals, questions, indicators, and metrics based on objectives. Examples are provided for an incident management objective. The document also discusses challenges in identifying meaningful metrics and getting started with a measurement program by focusing on a few key business objectives and questions.

Embed presentation

Downloaded 30 times
SESSION ID:SESSION ID: #RSAC Lisa Young Developing Useful Metrics GRC-F03 Vice President, Service Delivery Axio Global Lyoung@Axio.com David Tobar Senior Cybersecurity Engineer SEI/CERT Carnegie Mellon University Dtobar@cert.org
#RSAC Notices Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0003301
#RSAC GRC-F03 3 This session does not cover specific technical security metrics does cover the importance of metrics tied to things that matter to the business Why you might want to stay for this session - if you are interested in determining what to measure in support of business objectives identifying risks and gaps in your current measurement processes a process for developing metrics that will help you do these things
#RSAC Why do you want to measure?
#RSAC Key questions What should I measure to determine if I am meeting my performance objectives for security? What is the business value of being more secure? Of a specific security investment?
#RSAC Terminology (*) Measure vs. metric I had 2 eggs for breakfast this morning It’s 53 degrees in San Francisco, CA This session is 40 minutes long A measure (or measurement) is the value of a specific characteristic of a given entity (collected data). A metric is the aggregation of one or more measures to create a piece of business intelligence, in context. OR (*) Visualize This! Meaningful Metrics for Managing Risk. Session GRC-F02, RSA Conference 2014.
#RSAC So what? Why do you care? If I had this metric: (*) What decisions would it inform? What actions would I take based on it? What behaviors would it affect? What would improvement look like? What would its value be in comparison to other metrics? (*) informed by Douglas Hubbard, How to Measure Anything, John Wiley & Sons, 2010
#RSAC Why measure? Speak to decision makers in their language Demonstrate that the security program has measurable business value Justify new investments; make improvements Use trends to help predict future events Demonstrate that control objectives are (and continue to be) met Answer key questions
#RSAC Deriving Metrics from Objectives - GQIM
#RSAC Key questions Not “What metrics should I use?” but “What do I want to know or learn?” Alternatives: What decisions do I want to inform? What actions do I want to take? What behaviors do I want to change?
#RSAC Purpose Use a defined, repeatable process to derive meaningful metrics that directly support achievement of business objectives and: demonstrate the business value of each metric (and justify the cost for its collection and reporting) defend such metrics in comparison to others add metrics, update metrics, and retire metrics as business objectives change ultimately, inform business decisions, take appropriate action, and change behaviors
#RSAC Key takeaways Understand a 5-step process for deriving metrics from business or program objectives Be able to apply this process to your objectives Identify at least one metric that you can use immediately Be able to better communicate with business leaders in their language Assess the utility of current metrics
#RSAC GQIM process Objectives Identify business objectives that establish the need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use selected indicators to answer the question
#RSAC Objectives to Goals
#RSAC Process State a business or program objective Define one or more goals that are required to achieve the stated objective Goal: the end toward which effort is directed Fewer are better Essential (high leverage/high payoff) vs. complete coverage — Judgment informed by stakeholder review
#RSAC Objectives to Goals What are meaningful actions to take to achieve the objective? Which actions are most important? 2-3 that are essential, high leverage, high payoff Carry forward and refine key terms from the objective in the goals Ask “If I achieve this goal, will I be able to demonstrate substantive progress in achieving the objective?”
#RSAC Objective to Goals – Incident Management example Objective Goal Mitigate the risks of business disruption and loss resulting from cybersecurity incidents (with impact threshold > [x]) Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. • enterprise and operational unit levels Others?
#RSAC Goals to Questions
#RSAC Goals to Questions -1 What are meaningful questions to answer to determine if the goal is being achieved? Requires subject matter expertise Which questions are most important? Carry forward and refine key terms from the goal in the question Ask “If I answer this question, will I be able to demonstrate substantive progress in achieving the goal?”
#RSAC Goals to Questions -2 Useful questions are in the form of: What is the process for . . . (better than “How does the organization . . .”) — leads to implementation metrics How effective is . . . — leads to effectiveness metrics — most desirable but need implementation metrics first
#RSAC Goal to Questions – IM example Goal Questions G1: Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. Q1: What is the process by which suspicious events are detected and declared as incidents? Q2: What is the criteria for escalating high- impact incidents? To whom? Others?
#RSAC Questions to Indicators
#RSAC Questions to Indicators What data do I need to answer the question? Can add more data granularity than called for in the question In what form should the data be reported? Which data is most important? Carry forward and refine key terms from the question in the indicators Ask “If I have this data, will I be able to answer some aspect of the question?”
#RSAC Goal Question Indicators G1 Q1: What is the process by which suspicious events are detected and declared as incidents? Q1.I1: process and criteria for detecting and triaging suspicious events Q1.I2: process and criteria for declaring incidents Others? Question to Indicators – IM example
#RSAC Indicators to Metrics
#RSAC Indicators to Metrics Using the indicator data, what number, percentage, mean, or other metric can I collect/calculate to help answer the question? a percentage presumes 2 numbers are available so you don’t need to list the numbers as a metric if the percentage is based on it Which metrics are most important? Ask “Do I need additional data (more indicators)?” Ask “If I report this metric (over time), will it provide the greatest insight possible to answer the questions from which it derives?”
#RSAC Using this method to validate your current questions or metrics
#RSAC What if I only have a Metric? - 1 “We’ve always reported the number of machines with patches out of date.” How are you using this metric today? “What question will this metric answer?” This metric answers the following question: “How many machines are currently out of date?
#RSAC What if I only have a Metric? - 2 Answering this question will demonstrate substantive progress in achieving what goal? The goal answered by this question is “Keep machines up to date through patching.” Will this goal demonstrate progress againstan existing strategic business or program objective? By measuring the actual time between patch release and patch application, you are able to measure your organization’s ability to improve patch capability.
#RSAC Using GQIM to restate Strategic Business Objective: Mitigate the risk of successful software exploits by minimizing out-of-date software systems. Goal: Improve my organization’s process for patch management Question: How effective is my patch management process? Indicators: Increased efficiencies in the patch management process Metrics: Actual time between patch release and patch application. s
#RSAC What if all I have is a Question? - 1 “I’m always asked if my users have the proper level of system access.” How are you answering this question today? If the answer to this question is yes, what is the goal I am trying to achieve? — Goal: Ensure all users have the proper level of system access for their job responsibilities.
#RSAC What if all I have is a Question? - 2 What is the strategic business objective tied to this goal? Strategic business objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. What data would I need to answer the question: “Do all users have appropriate system access?” Inventory of IT systems with required security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list
#RSAC Using GQIM to Restate Strategic Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. Goal: Ensure all users have the proper level of system access for their job responsibilities. Question: Do all users have appropriate system access? Indicators: Inventory of IT systems with security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list Metrics: (more user centric) Time (min, max, med) to add a new system to inventory Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes
#RSAC Barriers and challenges What current barriers do you face in establishing, managing, and/or executing a measurement program? What challenges do you face in identifying meaningful metrics within your organization? Have you identified some new/updated approaches for tackling these?
#RSAC Getting started
#RSAC Approach State a business objective Ideally your business objective supports a stated strategic objective Ensure that [business unit, service, product, supply chain, technology, data center] is … — available to meet a specified customer or revenue growth objective — unavailable for no more than some stated period of time, number of transactions, other units of measure — fully compliant with [law, regulation, standard] so as not to incur penalties
#RSAC To get started Identify sponsors and key stakeholders Define security objectives and key questions Determine information that informs these What information do you already have? What information do you need to collect? What is the value of collecting additional information? Define and vet a small number of key metrics Collect, analyze, report, refine Leverage an existing measurement program
#RSAC Questions Lisa Young Email: Lyoung@axio.com Vice President, Service Delivery Axio Global David Tobar Email: DTobar@cert.org Senior Cybersecurity Engineer Carnegie Mellon University SEI/CERT
#RSAC CERT | Software Engineering Institute | Carnegie Mellon Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations CERT – Anticipating and solving our nation’s cybersecurity challenges Largest technical program at SEI Focused on information security, digital investigation and forensics, insider threat, operational risk, vulnerability analysis, network situational awareness, metrics, and governance

More Related Content

PPT
Security Predictions
byprogramsam
 
PDF
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
byCompTIA
 
PDF
Doing Analytics Right - Designing and Automating Analytics
byTasktop
 
PDF
Doing Analytics Right - Building the Analytics Environment
byTasktop
 
PDF
Increasing the Probability of Success with Continuous Risk Management
byGlen Alleman
 
PPTX
Can You Really Automate Yourself Secure
byCigital
 
PDF
Betsol | Machine Learning for IT Project Estimates
byBETSOL
 
DOCX
Risk management 4th in a series
byGlen Alleman
 
Security Predictions
byprogramsam
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
byCompTIA
 
Doing Analytics Right - Designing and Automating Analytics
byTasktop
 
Doing Analytics Right - Building the Analytics Environment
byTasktop
 
Increasing the Probability of Success with Continuous Risk Management
byGlen Alleman
 
Can You Really Automate Yourself Secure
byCigital
 
Betsol | Machine Learning for IT Project Estimates
byBETSOL
 
Risk management 4th in a series
byGlen Alleman
 

What's hot

PDF
Re-Learning Strategy with Big Data
byMalcolm Ryder
 
PDF
Handling risk
byGlen Alleman
 
PDF
Managing risk with deliverables planning
byGlen Alleman
 
PDF
Pitfalls and Countermeasures in Software Quality Measurements and Evaluations
byHironori Washizaki
 
PDF
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
byAndrew O. Leeth
 
PPTX
Risk Management
byHinal Lunagariya
 
PDF
Penetration Testing Guide
byBadawy Abd El-Aziz
 
PDF
Risk Driven Approach to Test Device Software
byijtsrd
 
Re-Learning Strategy with Big Data
byMalcolm Ryder
 
Handling risk
byGlen Alleman
 
Managing risk with deliverables planning
byGlen Alleman
 
Pitfalls and Countermeasures in Software Quality Measurements and Evaluations
byHironori Washizaki
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
byAndrew O. Leeth
 
Risk Management
byHinal Lunagariya
 
Penetration Testing Guide
byBadawy Abd El-Aziz
 
Risk Driven Approach to Test Device Software
byijtsrd
 

Similar to Developing useful metrics

PDF
Creating Order from Chaos: Metrics That Matter
byPriyanka Aash
 
PPTX
Security Metrics Program
byCydney Davis
 
PPTX
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
PPTX
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
PPTX
Meaningfull security metrics
byVladimir Jirasek
 
PPTX
Practical Measures for Measuring Security
byChris Mullins
 
PPT
Security Metrics
byConferencias FIST
 
PPT
Old Presentation on Security Metrics 2005
byAnton Chuvakin
 
PDF
Strategic governance performance_management_systems
byRamsés Gallego
 
PDF
Measuring Success - Security KPIs
byH Contrex
 
PPTX
ISAA
byOsmania University
 
PPT
Security metrics 2
byManish Kumar
 
PPTX
Presenting Metrics to the Executive Team
byJohn D. Johnson
 
PDF
Is it Safe? measuring product security goodness
byJustin Berman
 
PPTX
Ten Tenets of CISO Success
byFrank Kim
 
PDF
Cybersecurity the new metrics
byAbhishek Sood
 
PDF
Blue-Team-Summit-2023_Social-Engineering-your-Metrics_Joe-Gray.pdf
bysneakcozywaking
 
PDF
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
byasundaram1
 
PPTX
How To Set Security Awareness Strategic Goals, KPIs and Metrics
byTerranova Security
 
PPT
Securitymetrics
byManish Kumar
 
Creating Order from Chaos: Metrics That Matter
byPriyanka Aash
 
Security Metrics Program
byCydney Davis
 
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
Meaningfull security metrics
byVladimir Jirasek
 
Practical Measures for Measuring Security
byChris Mullins
 
Security Metrics
byConferencias FIST
 
Old Presentation on Security Metrics 2005
byAnton Chuvakin
 
Strategic governance performance_management_systems
byRamsés Gallego
 
Measuring Success - Security KPIs
byH Contrex
 
ISAA
byOsmania University
 
Security metrics 2
byManish Kumar
 
Presenting Metrics to the Executive Team
byJohn D. Johnson
 
Is it Safe? measuring product security goodness
byJustin Berman
 
Ten Tenets of CISO Success
byFrank Kim
 
Cybersecurity the new metrics
byAbhishek Sood
 
Blue-Team-Summit-2023_Social-Engineering-your-Metrics_Joe-Gray.pdf
bysneakcozywaking
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
byasundaram1
 
How To Set Security Awareness Strategic Goals, KPIs and Metrics
byTerranova Security
 
Securitymetrics
byManish Kumar
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Workflow and decision Automation with Flowable
bychakib ch
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 

Developing useful metrics

  • 1.
    SESSION ID:SESSION ID: #RSAC LisaYoung Developing Useful Metrics GRC-F03 Vice President, Service Delivery Axio Global Lyoung@Axio.com David Tobar Senior Cybersecurity Engineer SEI/CERT Carnegie Mellon University Dtobar@cert.org
  • 2.
    #RSAC Notices Copyright 2016 CarnegieMellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0003301
  • 3.
    #RSAC GRC-F03 3 This session does notcover specific technical security metrics does cover the importance of metrics tied to things that matter to the business Why you might want to stay for this session - if you are interested in determining what to measure in support of business objectives identifying risks and gaps in your current measurement processes a process for developing metrics that will help you do these things
  • 4.
    #RSAC Why do youwant to measure?
  • 5.
    #RSAC Key questions What shouldI measure to determine if I am meeting my performance objectives for security? What is the business value of being more secure? Of a specific security investment?
  • 6.
    #RSAC Terminology (*) Measure vs.metric I had 2 eggs for breakfast this morning It’s 53 degrees in San Francisco, CA This session is 40 minutes long A measure (or measurement) is the value of a specific characteristic of a given entity (collected data). A metric is the aggregation of one or more measures to create a piece of business intelligence, in context. OR (*) Visualize This! Meaningful Metrics for Managing Risk. Session GRC-F02, RSA Conference 2014.
  • 7.
    #RSAC So what? Whydo you care? If I had this metric: (*) What decisions would it inform? What actions would I take based on it? What behaviors would it affect? What would improvement look like? What would its value be in comparison to other metrics? (*) informed by Douglas Hubbard, How to Measure Anything, John Wiley & Sons, 2010
  • 8.
    #RSAC Why measure? Speak todecision makers in their language Demonstrate that the security program has measurable business value Justify new investments; make improvements Use trends to help predict future events Demonstrate that control objectives are (and continue to be) met Answer key questions
  • 9.
    #RSAC Deriving Metrics fromObjectives - GQIM
  • 10.
    #RSAC Key questions Not “Whatmetrics should I use?” but “What do I want to know or learn?” Alternatives: What decisions do I want to inform? What actions do I want to take? What behaviors do I want to change?
  • 11.
    #RSAC Purpose Use a defined,repeatable process to derive meaningful metrics that directly support achievement of business objectives and: demonstrate the business value of each metric (and justify the cost for its collection and reporting) defend such metrics in comparison to others add metrics, update metrics, and retire metrics as business objectives change ultimately, inform business decisions, take appropriate action, and change behaviors
  • 12.
    #RSAC Key takeaways Understand a5-step process for deriving metrics from business or program objectives Be able to apply this process to your objectives Identify at least one metric that you can use immediately Be able to better communicate with business leaders in their language Assess the utility of current metrics
  • 13.
    #RSAC GQIM process Objectives Identify business objectives that establishthe need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use selected indicators to answer the question
  • 14.
  • 15.
    #RSAC Process State a businessor program objective Define one or more goals that are required to achieve the stated objective Goal: the end toward which effort is directed Fewer are better Essential (high leverage/high payoff) vs. complete coverage — Judgment informed by stakeholder review
  • 16.
    #RSAC Objectives to Goals Whatare meaningful actions to take to achieve the objective? Which actions are most important? 2-3 that are essential, high leverage, high payoff Carry forward and refine key terms from the objective in the goals Ask “If I achieve this goal, will I be able to demonstrate substantive progress in achieving the objective?”
  • 17.
    #RSAC Objective to Goals– Incident Management example Objective Goal Mitigate the risks of business disruption and loss resulting from cybersecurity incidents (with impact threshold > [x]) Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. • enterprise and operational unit levels Others?
  • 18.
  • 19.
    #RSAC Goals to Questions-1 What are meaningful questions to answer to determine if the goal is being achieved? Requires subject matter expertise Which questions are most important? Carry forward and refine key terms from the goal in the question Ask “If I answer this question, will I be able to demonstrate substantive progress in achieving the goal?”
  • 20.
    #RSAC Goals to Questions-2 Useful questions are in the form of: What is the process for . . . (better than “How does the organization . . .”) — leads to implementation metrics How effective is . . . — leads to effectiveness metrics — most desirable but need implementation metrics first
  • 21.
    #RSAC Goal to Questions– IM example Goal Questions G1: Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. Q1: What is the process by which suspicious events are detected and declared as incidents? Q2: What is the criteria for escalating high- impact incidents? To whom? Others?
  • 22.
  • 23.
    #RSAC Questions to Indicators Whatdata do I need to answer the question? Can add more data granularity than called for in the question In what form should the data be reported? Which data is most important? Carry forward and refine key terms from the question in the indicators Ask “If I have this data, will I be able to answer some aspect of the question?”
  • 24.
    #RSAC Goal Question Indicators G1 Q1:What is the process by which suspicious events are detected and declared as incidents? Q1.I1: process and criteria for detecting and triaging suspicious events Q1.I2: process and criteria for declaring incidents Others? Question to Indicators – IM example
  • 25.
  • 26.
    #RSAC Indicators to Metrics Usingthe indicator data, what number, percentage, mean, or other metric can I collect/calculate to help answer the question? a percentage presumes 2 numbers are available so you don’t need to list the numbers as a metric if the percentage is based on it Which metrics are most important? Ask “Do I need additional data (more indicators)?” Ask “If I report this metric (over time), will it provide the greatest insight possible to answer the questions from which it derives?”
  • 27.
    #RSAC Using this methodto validate your current questions or metrics
  • 28.
    #RSAC What if Ionly have a Metric? - 1 “We’ve always reported the number of machines with patches out of date.” How are you using this metric today? “What question will this metric answer?” This metric answers the following question: “How many machines are currently out of date?
  • 29.
    #RSAC What if Ionly have a Metric? - 2 Answering this question will demonstrate substantive progress in achieving what goal? The goal answered by this question is “Keep machines up to date through patching.” Will this goal demonstrate progress againstan existing strategic business or program objective? By measuring the actual time between patch release and patch application, you are able to measure your organization’s ability to improve patch capability.
  • 30.
    #RSAC Using GQIM torestate Strategic Business Objective: Mitigate the risk of successful software exploits by minimizing out-of-date software systems. Goal: Improve my organization’s process for patch management Question: How effective is my patch management process? Indicators: Increased efficiencies in the patch management process Metrics: Actual time between patch release and patch application. s
  • 31.
    #RSAC What if allI have is a Question? - 1 “I’m always asked if my users have the proper level of system access.” How are you answering this question today? If the answer to this question is yes, what is the goal I am trying to achieve? — Goal: Ensure all users have the proper level of system access for their job responsibilities.
  • 32.
    #RSAC What if allI have is a Question? - 2 What is the strategic business objective tied to this goal? Strategic business objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. What data would I need to answer the question: “Do all users have appropriate system access?” Inventory of IT systems with required security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list
  • 33.
    #RSAC Using GQIM toRestate Strategic Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. Goal: Ensure all users have the proper level of system access for their job responsibilities. Question: Do all users have appropriate system access? Indicators: Inventory of IT systems with security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list Metrics: (more user centric) Time (min, max, med) to add a new system to inventory Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes
  • 34.
    #RSAC Barriers and challenges Whatcurrent barriers do you face in establishing, managing, and/or executing a measurement program? What challenges do you face in identifying meaningful metrics within your organization? Have you identified some new/updated approaches for tackling these?
  • 35.
  • 36.
    #RSAC Approach State a businessobjective Ideally your business objective supports a stated strategic objective Ensure that [business unit, service, product, supply chain, technology, data center] is … — available to meet a specified customer or revenue growth objective — unavailable for no more than some stated period of time, number of transactions, other units of measure — fully compliant with [law, regulation, standard] so as not to incur penalties
  • 37.
    #RSAC To get started Identifysponsors and key stakeholders Define security objectives and key questions Determine information that informs these What information do you already have? What information do you need to collect? What is the value of collecting additional information? Define and vet a small number of key metrics Collect, analyze, report, refine Leverage an existing measurement program
  • 38.
    #RSAC Questions Lisa Young Email: Lyoung@axio.com VicePresident, Service Delivery Axio Global David Tobar Email: DTobar@cert.org Senior Cybersecurity Engineer Carnegie Mellon University SEI/CERT
  • 39.
    #RSAC CERT | SoftwareEngineering Institute | Carnegie Mellon Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations CERT – Anticipating and solving our nation’s cybersecurity challenges Largest technical program at SEI Focused on information security, digital investigation and forensics, insider threat, operational risk, vulnerability analysis, network situational awareness, metrics, and governance