Applied Information Management

Key Components of an Information Security Metrics Program Plan

In Brief: Information security has become an essential business function that is critical to enabling organizations to conduct their operations and deliver services to the public. The push to secure organizational information has initiated the need to develop better metrics for understanding the state of the organization's security posture.

Security metrics can increase accountability, demonstrate quantifiable progress in strategic goals and objectives, and demonstrate compliance with applicable laws.

The goal of this literature review is to address the value of using performance measures to quantify the effectiveness of an organization's information security program. Chew et al. (2006) defines performance measures as "indicators, statistics, or metrics used to gauge program performance" (p. 10). This review is intended to be valuable to information technology professionals who need to design an effective information security program and those who manage information security initiatives.

The purpose of this literature review is to identify and describe key components necessary to include when developing a plan for an information security metrics program. Security professionals must measure the value of their information security programs and demonstrate the continuing maturity of their organizations. Payne (2006) believes that the use of metrics can be an effective tool for determining the effectiveness of various components of a security program.

Key Components and Associated Tasks
Component 1: Program Initiation
This component recognizes that a "foundation of strong upper-level management support" is needed for an information security metrics program to be successful (Swanson, 2003, p. 2). "Without defined objectives for an information security program it is not possible to develop useful metrics" (Brotby, 2009, p. 4). Major tasks of the program initiation component are:
  • Secure management support
  • Define goals, objectives, and business drivers
  • Determine the audience of the information security metrics
Component 2: Development of Information Security Metrics
Good metrics should be "specific, measurable, comparable, attainable, repeatable, and time dependent" (Patriciu, 2006, p. 152). The following tasks are recommended in the development of information security metrics component:
  • Determine attributes of a good information security metric
  • Determine what to measure
  • Test and determine thresholds
Component 3: Collection and Analysis of Information Security Metrics
Once metrics have been identified, specific implementation steps should be defined on how to collect and analyze the security metrics (Swanson, 2003, p. 24). Every metrics program should include processes for analyzing and interpreting the data (Bryant, 2007, p. 8). Major tasks of the collect and analyze information security metrics component include:
  • Collect information security metrics
  • Analyze information security metrics
  • Establish benchmarks and targets
Component 4: Reporting and Responding to Information Security Metrics
Meaningful reporting is the key to the success of any information security metrics program (Pironti, 2007, p. 4). Major tasks of the reporting and responding to information security metrics component are as follows:
  • Determine how metrics will be reported, frequency, format, etc.
  • Determine who will receive information security metrics
  • Respond to information security metrics
Component 5: Maintaining an Information Security Metrics Program
A metrics program is not a one-time effort but a constantly evolving one that requires continuous support and processes to improve the program (Kark, 2008, p. 12). The tasks needed for the maintaining an information security metrics program component include:
  • Establish a formal program for review and refinement of the information security metrics program
  • Assess the organization's culture

Table 1—summarizes the five key components of an information security metrics program plan. Each component documents the supporting literature and presents a list of the major tasks.

In summary, information security measures can increase accountability for information security by helping to identify specific security controls that are implemented incorrectly, are not implemented, or are ineffective. An information security measurement program can enable organizations to quantify improvements in securing information systems and demonstrate quantifiable progress in accomplishing agency strategic goals and objectives. And finally, organizations can demonstrate compliance with applicable laws, rules, and regulations by implementing and maintaining an information security measurement program.


  • Brotby, W. K. (2008). Information security metrics: A definitive guide to effective security monitoring and measurement. Boca Raton, FL: Auerbach.
  • Bryant, A. R. (2007). Developing a framework for evaluating organizational information assurance metrics programs. Ft. Belvoir: Defense Technical Information Center. Retrieved April 5, 2009, from Handle System
  • Chew, E., Clay, A., Hash, J., Bartol, N., & Brown, A. (2006). Guide for developing performance metrics for information security: Recommendations of the National Institute of Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology. Retrieved April 8, 2009, from National Institute of Standards and Technology
  • Kark, K. (2008, July 22). Best practices: security metrics. Retrieved March 12, 2009 from Forrester database: Forrester
  • Patriciu, V., Rriescu, I., & Nicolaescu, S. (2006). Security metrics for enterprise information systems. Journal of Applied Quantitative Methods, 1(2). Retrieved April 8, 2009, from Journal of Applied Quantitative Methods
  • Payne, S. C. (2006, June 19). A guide to security metrics. SANS Institute. Retrieved April 7, 2009, from SANS Institute InfoSec Reading Room
  • Pironti, J. P. (2007). Developing metrics for effective information security governance. Information Systems Control Journal. 2, 33-38. Retrieved April 7, 2009, from
  • Swanson, M., Bartol, N., Sabato, J., Hash, J., & Graffo, L. (2003). Security metrics guide for information technology systems. Gaithersburg, MD: National Institute of Standards and Technology, Technology Administration, U.S. Dept. of Commerce. Retrieved April 8, 2009, from National Institute of Standards and Technology
AIM alumnus Scott Schimkowitsch

Research Paper Author: Scott E. Schimkowitsch, senior security specialist, Harland Financial Solutions—2009 AIM Graduate

Abstract: An information security metrics program can provide organizations with a resource to manage, monitor, control, or improve aspects of an information security program. A set of five key components necessary to include when developing a plan for an information security metrics program is presented. Components are framed in relation to criteria from Chew et al. (2008), and include associated tasks designed to a) increase accountability, b) improve information security effectiveness, and c) demonstrate compliance.

Download the entire Capstone research project