Risk metrics: Measuring the effectiveness of an IT security control

In this article, based on an MSc thesis by Jonathan Pagett and Siaw-Lynn Ng, learn how to use risk metrics to gauge the effectiveness of IT security controls.

Many organisations spend a fortune on information security, but how many seek to measure the effectiveness of their investments?

The multitude of security incidents uncovered in research, such as the Information Security Breaches Survey, clearly proves that a lot of existing security measures are not working effectively. Measures may be ignored, bypassed or incorrectly implemented, and organisations may not realise how ineffectively any given IT security control may be managed or implemented, resulting in higher levels of risk exposure.

While security practitioners can define the theoretical risk exposure for an organisation based on risk-assessment and risk-reduction activities, without understanding how its controls and processes are actually implemented, an organisation cannot know its actual risk exposure.

To help solve this problem, some organisations have started using security risk metrics in the process of risk management, as part of a continual assessment of risks and effectiveness of controls as the threat and technological landscape changes.

In their article Improving residual risk management through the use of security metrics, Jonathan Pagett and Siaw-Lynn Ng introduce the Information Security Effectiveness Framework (ISEF), which they argue could facilitate the definition, visualisation and comparison of security metrics in order to improve residual risk management.

They say that by introducing measurements of real-world effectiveness into risk management, organisations can improve their understanding of their current risk exposure. The organisations can also ensure they are achieving the best risk reduction for their investments and identify where resources can be focused in order to improve security.

The article describes how the ISEF has been applied in two organisations and reports significant improvements even where the organisation in question did not have a well-developed risk management programme in place.

About the authors:
Jonathan Pagett is a security architect working within Central Government.

Siaw-Lynn Ng is a lecturer at Royal Holloway University of London. Her research interests include combinatorics and finite geometry and their applications in information security.

The article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that SearchSecurity.co.uk is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on Security policy and user awareness