Security Metrics - Measure What Matters - Part 4

Security Metrics - What To Measure: Internal User Activities

For example, Chad Robinson of the Robert Frances Group recommends using these security metrics:

  • Attempts to access unauthorized Web site content
  • Invalid login attempts
  • Storage of unauthorized file content (e.g., audio, video)
  • Unauthorized attempts to access controlled resources (e.g., VPN)
  • Disclosure of sensitive information
  • Data or intellectual property theft
  • Unauthorized use of administrator privileges

Examples from Gartner's "Metrics for Information Security Awareness" include:

  • Process Improvement Percent of staff who know that the security policy exists
  • Percent who have seen or read the security policy
  • Percent of individuals tested on the policy (passing and failing)
  • Are internal and external security audits showing improvement?
  • Attack Resistance Percent of surveyed individuals recognizing a security event scenario
  • Percent of surveyed or tested individuals susceptible to social engineering
  • Percent of users tested that revealed their password
  • Percent of administrators tested that failed an improper password change attempt
  • Percent of users activating a test virus
  • Efficiency / Effectiveness Percent of security incidents having human behavior as a major factor
  • Internal Crunchiness Percent of corporate software, partners, suppliers reviewed for security
  • Percent of critical data that is strongly protected
  • Percent of critical data not protected according to security standards
  • Percent of systems having malware installed / unapproved software installed

These are a good start to get us thinking in the right direction – measuring internal user behaviors.

Security Behaviors Can Be Classed as Good, Bad, or Ugly

Good Security Behavior complies with the letter and spirit of the law, e.g., not releasing non-public information inappropriately or discovering and reporting a security vulnerability.

Bad Security Behavior includes naive mistakes and dangerous tinkering, such as:

  • Sharing a password
  • Deploying a wireless network gateway that allows non-company personnel to use the company's network
  • Setting up a packet spoofing application to test the user's programming ability
  • Setting up a network monitoring scanner on the user's PC

Ugly Security Behavior is detrimental misuse or intentional destruction, such as:

  • Building a script that disables other users' terminal sessions
  • Forging e-mail header information to make it look like someone else sent a message
  • Using a file decryption program to discover contents of a file containing trade secrets or sensitive information 
  • Intentionally introducing a Trojan horse program into the network

Choosing Security Metrics: Examples and Recommendations

Send us a note if you'd like us to send you a 4-page security awareness metrics handout (pdf) that contains practical details for behavior-based security awareness metrics. This approach divides security behaviors into three categories: good, bad, and ugly. In addition to classifying security-related behaviors, the handout presents specific metrics that can be used and how the measurements may be collected.

This is the fourth part of a four-part series of articles:
Security Awareness Metrics: Measure What Matters

Part 1

Part 2

Part 3

Article by K Rudolph, CISSP © Native Intelligence, Inc.    All rights reserved.