How Good Is Good? And How Can You Tell?

Security metrics form the basis for evaluating how well your information technology security system is reducing your vulnerabilities to intrusion and the introduction of malware, but they aren’t always well understood. Often confused with point-in-time snapshots of statistical data, metrics look at measurements over time, compared with a baseline, to reveal trends.

Security metrics form the basis for evaluating how well your information technology security system is reducing your vulnerabilities to intrusion and the introduction of malware, but they aren’t always well understood. Often confused with point-in-time snapshots of statistical data, metrics look at measurements over time, compared with a baseline, to reveal trends.

George Jelen of the International Systems Security Engineering Association says security metrics should be “SMART — specific, measurable, attainable, repeatable and time-dependent.”

Shirley Payne, director of Security Coordination and Policy at the University of Virginia, describes a seven-step process:

1. Define the metrics program goals and objectives.
2. Decide which metrics to generate.
3. Develop strategies for generating the metrics.
4. Establish benchmarks and targets.
5. Determine how the metrics will be reported.
6. Create an action plan and act on it.
7. Establish a formal program review and refi nement process.

“The process can guide development of simple metrics programs as well as highly ambitious ones. Keep in mind that the metrics generated should be useful enough to drive improvement in the overall security program and help prove the value of that program to the organization as a whole,” Payne says.

WHAT ARE Students Doing?

34% of college students spend more than 10 hours per week online.

3.5 hours per day e-mailing, instant messaging and surfing

6.5 hours per week visiting social networking sites

46% listen to the radio less than three hours per week.

64% use their computers while watching TV or listening to the radio.

30% SPEND LESS THAN THREE HOURS A WEEK WATCHING TV.

Safety: Not in These Numbers

CDW•G and Eduventures research company surveyed 182 systems directors and managers nationwide for the “Higher Education IT Security Report Card 2006.” Of those they interviewed:

58% experienced at least one IT security incident in the past year.

9% reported a loss or theft of personal student information.

97% reported that one-quarter or less of their IT budgets goes toward IT security.

68% reported no growth in their IT security budgets this year compared with the previous year.