The lack of standard processes and the wide variability of factors that affect risk are making it hard for companies to quantify the risk management benefits, according to users at a Gartner conference.
"There is an increasing focus on measuring security effectiveness," said Carl Cammarata, chief information security officer at American Automobile Association.
Companies are realising that "you can't manage what you can't measure".
Driving the trend is the fact that security budgets have been rising by 20% annually over the past couple of years, said Richard Hunter, an analyst at Gartner.
As a result, security administrators are under growing pressure to find quantitative measures to demonstrate the efficiency of their security strategies.
"You need to have a baseline to measure against. If you don't have any measurements, you don't know where you are," said Gregory Waters, a senior information assurance engineer at TWM Associates, an IT auditing firm.
The numbers can come from a variety of sources. For example, said Gartner, a company could collect metrics on the number of attacks it faced during a specific period, the type of attacks, the percentage of attacks that were successful, the time that elapsed between the onset of an attack and when it was first detected, and the time it took to launch countermeasures.
The metrics could also relate to a company's overall risk profile based on an assessment of the vulnerabilities and threats faced by an organisation and the countermeasures in place to deal with them.
Some suppliers, such as TruSecure, offer tools claiming to help companies numerically score their risk on a sliding scale based on such assessments.
Used properly, such metrics can help security administrators give business managers a better snapshot of a company's risk profile, Cammarata said.
At AAA, merely using statistics and benchmarks from organisations such as the SANS Institute and the Computer Security Institute are no longer enough, Cammarata said.
"My managers want to know what these statistics mean to my organisation specifically," he said.
Jaikumar Vijayan writes for Computerworld