1

Representing Security Metrics in DashBoardsand Progress Reports

© Inovement and Vicente Aceituno 2013

2

Metrics Representation

Metrics are measurements that gain meaning from comparison with previous or equivalent measurements.

For example, “A kid’s height is 100cm” means nothing.

“The height of a kid is 100cm in while the height of more than 95% kids is age is 90cm or less” means he is TALL.

3

Metrics Representation

We get the most value from Metrics when we investigate the root causes for measurements that deserve our attention.

Correct representation of metrics can make obvious when a measurement deserves investigation.

Unfortunately, many representations of metrics hide meaning instead of highlighting it.

4

Metrics Representation

There are 15 main metrics for a process or a control.

It is not practical to represent every metric for every control or process in an ISMS when there is a large number of controls.

It is therefore necessary to choose and find a compact way to represent metrics in order to gain situational awareness.

Note: The canonical list of security metrics will be published early 2014 in a white paper.

5

Metrics Representation

The interpretation of a metric always renders one or several of the following meanings:

Current Value: Normal or Abnormal. Satisfactory or Unsatisfactory.

Trend: Better or Worse. Increase or Decrease.

A good use of color and arrows can represent this in a compact a visually evident way.

Telling issues to investigate from those that require urgent attention evident brings added value to the dasboard.

6

Metrics Representation Some metrics correlate with value, some not,

for example; Without value:

Number of drops in a firewall. Fewer drops doesn’t we are not being attacked.

Number of viruses cleaned. More viruses cleaned doesn’t mean systems are cleaner.

With value: Backups performed. The more backups, the more

data can be recovered. Authorized logins successful. When authorized

people can login, they can work.

7

Metrics Representation When a metric does not correlate with value we have

the following meanings: Current Value:

Normal or Abnormal. Trend:

Increase or Decrease.

When a metric correlates with value we have the following meanings:

Current Value: Satisfactory or Unsatisfactory.

Trend: Better or Worse.

8

Metrics Representation

When a metric is not about value it can be represented using a square.

When a metric is about value it can be represented using a circle.

9

Metrics Representation

Normal / Abnormal is a distinction that can be represented using Blue (Normal), Grey (Abnormal) and Black (Abnormal) for urgent Action.

Satisfactory / Unsatisfactory is a distinction that can be represented using Green (Satisfactory), Yellow (Unsatisfactory) and Red (Unsatisfactory) for urgent Action.

10

Increase / Decrease trends is a distinction that can be represented using an arrow colored depending if the trend makes the current situation likely to stay.

Better / Worse trends is a distinction that can be represented using an arrow colored depending if the trend makes the current situation likely to stay.

Metrics Representation

11

Metrics Representation

The direction of the arrow indicates the type of change.

The color of the arrow indicates what that means.

A straight up or down arrow indicates the need for urgent action.

Examples:

12

Metrics Representation

Exercise: Guess what the following mean:

13

Metrics Representation

Solution:

Abnormal, Increasing towards Normal, Urgent Action

Abnormal, Decreasing towards Normal

Normal, Decreasing

Unsatisfactory, Getting better, Urgent Action

Satisfactory, Getting worse

Unsatisfactory, Getting worse fast, Urgent Action

14

Metrics Representation

To summarize, any Security Metrics work is incomplete unless the representation of metrics in DashBoards and Progress Reports makes the meaning as obvious as possible.

It is possible to use colors and shapes to highlight meaning in a very compact way.

15

Learn to implement High Performance Security Management Processes http://cli.gs/ism3

Web www.inovement.esVideo Blog youtube.com/user/vaceitunoBlog ism3.comTwitter twitter.com/vaceitunoPresentationsslideshare.net/vaceituno/presentations

Articles slideshare.net/vaceituno/documents

16

668862242

learn@inovement.es

Calle Loeches, 1, 28008, Madrid, Spain