Data security metrics and
a value based approach
Licensed under the Creative Commons Attribution License
“I don't need data security, we outsource our IT to one of the big banks”
“It's never happened to us before”
“You can't estimate asset value”
“We encourage risk taking”
“I don't take risks”
True quotes from real people
• Introduction and welcome
• What is data security?
• Anything can be measured
• Why metrics?
• Why quantify risk?
• Measurement methods
• Continuous improvement
• Questions and answers
• Our mission today
– Tools to help make your work easier
– Share ideas
What the heck is data security?
– Ensure we can survive & add value
• Physical, information, systems, people
• Data security
– Protect data directly in all realms
Anything can be measured
All exact science is based on approximation.
If a man tells you he knows a thing exactly, then you can be safe in
inferring that you are speaking to an inexact man.
Data security metrics
– organization, channel and content
• Typical metrics
– % of employees that signed the AUP
– % Webmail traffic/all mail traffic
– % Office files by Webmail/Employees
– No. of revenue transactions
– Cost of security for operational/revenue systems
– Cost of security for customer service systems
– Cost of security for FnA systems
– Value of assets in Euro
– Total value at risk of assets
Why do we need metrics?
• Recognize this? The easy part of information security
(running the appliance, discovering
vulnerabilities, fixing things and
Ignores the hard stuff; quantification and Ignorance is never better than
prioritization of your actions based on
financial value of assets and
measurement of threat impact
Why bother quantifying risk?
• Why not qualitative metrics?
When was the last time a customer paid a
“qualitative price” ?
Quantitative risk model(*)
Value at Risk
Metrics =Threat Damage to
Asset value, Asset x Asset Value x
Threat damage to Threat Probability
PTA -Practical threat analysis risk model
Quantitative risk model benefits
• Run security like you run your business
– Quantify and prioritize actions in Euro/USD
– Justify data security investments
• Measure improvement
– Reduced risk
– Lower costs
• Hand sampling
– Small samples of employees, routers...
• The “Rule of 5”
• Expert estimates
– The CFO
• Pros at asset valuation
• Test equipment
Data Document Forensics
Received: from [172.16.1.35]
Countermeasures “Send me more