Blogger: Pete Lindstrom
Yesterday, I gave a keynote at our Catalyst Conference that introduced a set of ten strategic security metrics. These metrics are:
- Transaction Value (TV) - (Total Value of IT and Information Assets $ / Total Transactions)
- Transaction Cost (TC) - (Total Cost of IT and Information Assets $ / Total Transactions)
- Controls per Transaction (CPT) - (Total Number of Inline Control Events / Total Transactions)
- Cost per Control (CPC) - (Total Cost of Control $ / Total Number of Inline Control Events)
- Security to Value Ratio (STV) - (Total Security Costs $ / Total Value of IT and Information Assets $)
- Loss to Value Ratio (LTV) - (Total Losses $ / Total Value of IT and Information Assets $)
- Control Effectiveness Ratio (CE) - ((Good Allowed Control Events + Bad Denied Control Events) / Total Number of Inline Control Events)
- Incidents per Million (IPM); Incidents per Billion (IPB) - ((Total Number of Incidents / Total Transactions) x One Million or Billion)
- Incident Prevention Rate (IPR) - (1 – (Total Incidents / (True Positives + Total Incidents)))
- Risk Aversion Ratio (RAR) - (False Positives / Total Incidents)
The goal of these metrics is to bridge the gap between operational metrics and strategic metrics. That is, we can take risk- and value-oriented information that we are currently collecting and plug them into aggregation locations for these metrics. I gave an easy example of email and how that could be done. The key is to start small.


Sounds interesting,
would you mind to elaborate a little?
I'm not sure what some of the values mean like "Transaction Valule", what transactions?
What is an "inline control event" (zero hit on google, did you just coin that expression?)
thanks
Osama Salah
Posted by: Osama Salah | June 27, 2008 at 03:12 AM