SlideShare une entreprise Scribd logo

A Security Metrics Story: Turning Data into Metrics

Security Executive Council
Security Executive Council

A step-by-step guide on how to build your security metrics program. Demonstrate security’s value through clear alignment with business strategy and objectives.

BusinessTechnologie
1  sur  17
Télécharger pour lire hors ligne
A Security Metrics Story: Turning Data into Metrics George Campbell Emeritus Faculty, Security Executive Council Copyright 2008 Security Executive Council
Key Objectives for Security Metrics  Positively influence action, attitude and policy  Materially impact exposure to specific risks  Demonstrate security’s value through clear alignment with business strategy and objectives  Measure the success of our diverse programs Copyright 2008 Security Executive Council
Some Basic Definitions* *A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002 • Measurements- single point-in-time views of specific factors generated by counting. • Example: Number of life safety vulnerabilities detected by Security Officers on tours • Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis. • Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period Copyright 2008 Security Executive Council
What do You Want to do With Your Metrics? • Report on Risk • Risk Awareness in Business Units • Reveal Lessons-Learned from Incidents • Track Trends • Track Program Performance • Measure Security’s Influence • Measure Security’s Value • Security Overview-A Report to Management • Other message or report? Copyright 2008 Security Executive Council
Fundamental Requirement: Good Data! “Good” = – Timely incident & investigation reports competently prepared and reviewed by security management – Content of reports, logs and other data sources are valid, accurate and reliable – A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint – A data analysis process that enables and provides assurance of verifiable conclusions – Clear ownership and accountability for data reliability – Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure Copyright 2008 Security Executive Council
What Types of Actionable Metrics? “There are three kinds of lies: Lies, damn lies and statistics.” Trends: external Lessons-learned Your Business Accountability and internal risk case results, defect Plan: program the diligence of line factors targeted by reduction, crisis after- performance business unit security programs action reviews against managers to quantifiable protect against Change: The “hygiene” objectives known risks relationship of security programs of the firm: Performance Security’s to an improved business conduct, measurement of effectiveness state of risk continuity, integrity, staff, vendors, etc. rated by customers management incident rates, etc. Value: Contributions to Project status: Standards & execution of the Risk management, schedules, budget Benchmarks: cycle times, cost business mission burn rates, results Us vs. best to plan, etc. practices & peers mgt. ROI, etc. and strategy Copyright 2008 Security Executive Council
Moving From an Incident Trend to Metrics  Look at the next several slides. You will see four distinct processes related to incident analysis. Each step involves some form of assessment, measurement and consideration of related metrics.  More importantly, looking at risk this way helps form a more reliable assessment of root causes and the success of the revised security measures we propose to take. Copyright 2008 Security Executive Council
Moving From an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents We begin with the area of risk we are concerned about. In this example, we have noted a disturbing trend of more frequent workplace violence incidents at a particular location. Metrics are embedded in the incident reports. For example: • Frequency? • Location? • Time? • Contributing conditions or circumstances? • Apparent cause? • Failed business process? • What was the business impact? • What are the characteristics of persons involved? Is the likely perpetrator an insider or outsider? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Increases in frequency and severity of workplace violence incidents Risk Security not For past year 42% Post mortems Indicate 34% on night informed by HR Contributing Involved spousal poor coordination & shift involved of pending Vulnerabilities conflicts with training of HR & alcohol terminations restraining orders Security personnel What gaps in our security program may be contributing to this increase in frequency and severity of workplace violence incidents? When we have competent investigations with good incident reports we should drill down with a lessons-learned process that will reveal real causes rather than symptoms. Metrics are embedded in our findings regarding apparent vulnerabilities or failed security measures that contributed to the incident: • Is there a pattern in your findings that suggests a broader set of risks? • What business processes failed? Which ones should have mitigated risks like these? Who owns them? • What have we learned about the victims and perpetrators? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Security not Contributing 34% on night Involved spousal poor coordination & informed by HR Vulnerabilities shift involved conflicts with training of HR & of pending alcohol restraining orders Security personnel terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented We now have a handle on broken processes and what it will likely take to fix them. Metrics are embedded in the post-incident steps taken to mitigate future incidents of this type: • What specific results are expected of the steps that have been taken? • What will the steps cost? • Who are the stakeholders? • How do we sell the proposed steps? Copyright 2008 Security Executive Council
Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Contributing 34% on night Involved spousal poor coordination & Security not Vulnerabilities shift involved conflicts with training of HR & informed by HR alcohol restraining orders Security personnel of pending terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented Increases in % reductions Post mortems Employee Measures % reductions reporting of in workplace show training & surveys show & Metrics in alcohol- restraining violence & intervention improved related cases orders confrontations techniques work safety Metrics are embedded in the results of the risk mitigation activities: • What were the positive or negative results vs. those planned? • What savings Copyright 2008 Security Executive Council or expenses will accrue
Communicating Your Findings Using the data gathered from incident reports and case post-mortems during the past year on workplace violence incidents, we can build a couple of PowerPoint graphics to demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for presentation purposes. The chart utility is fairly easy to use and offers a lot of chart types and ability to play with content, appearance and analytical options such as trend analysis. Each of the following two slides may be used in a variety of opportunities: - Advise top management on risk mitigation activities - Demonstrate the effectiveness of a new or revised security measure - Demonstrate value by reducing potentially costly litigation and reputational risk - Engage and raise targeted business unit awareness of potential risk - Modify a business process for increased safety and productivity - Meet legal obligations for safe & secure workplaces - Contribute to improved employee morale - Celebrate an important collaboration Investigative post mortems are especially effective in developing the data for a briefing on this topic. What was learned, what have we done to prevent similar occurrences in the future, what were the outcomes for victims, employees and perpetrators? Copyright 2008 Security Executive Council
Example: From our incident data base, we can construct an overall view of workplace violence for the current year: Internal Threat Termination Assistance Employee Conduct Ex-employee Conduct External Threat Domestic Violence (64% with restraining orders) Hostile Visitor Disgruntled Customer On site Telephone Threats* Mail Threats to Co. Bomb Threats 0 10 20 30 40 50 60 70 80 90 100 * Not bomb Copyright 2008 Security Executive Council 13
Cumulative Impact of Steps Taken to Mitigate Workplace Violence at Assembly Plant # 4 100.0 80.0 60.0 40.0 20.0 0.0 -20.0 -40.0 -60.0 -80.0 -100.0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr % Increase/Decrease in alcohol-related workplace violence incidents % Increase/Decrease in successful intervention since manager training % Increase/Decrease in voluntary reporting of restraining orders % Increase/Decrease in coordinated Security/HR interaction Copyright 2008 Security Executive Council
Summary • We own a unique database of business performance measures and metrics • Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior • Our programs can materially contribute to corporate health and profitability • We have an obligation to inform, educate and eliminate plausible denial • We need to graphically demonstrate to management how we are probing the weak spots and influencing change Copyright 2008 Security Executive Council
Where to Find More on Security Metrics To learn more about the Security Executive Council and security metrics, go to www.securityexecutivecouncil.com. Portions of this presentation are from: Measures and Metrics in Corporate Security Copyright 2008 Security Executive Council
George K. Campbell George is currently a member of the Emeritus Faculty of the Security Executive Council and a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under George’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 George owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies. He is a frequent contributor to professional security journals and seminars and is the author of Measures and Metrics in Corporate Security published in 2005 by the Security Executive Council. George received his baccalaureate degree (Police Administration) from American University, Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. George is a member the American Society for Industrial Security since 1978. He is an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former member of the High Technology Crime Investigation Association and the Association of Certified Fraud Examiners. Copyright 2008 Security Executive Council

Recommandé

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIs
H Contrex
 
Security officer kpi
Security officer kpiSecurity officer kpi
Security officer kpi
jomrichsa
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
Cigital
 
Fabricacion rueda2
Fabricacion rueda2Fabricacion rueda2
Fabricacion rueda2
pokefanstudios
 
Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate security
PLN9 Security Services Pvt. Ltd.
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
Manish Kumar
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 

Recommandé

Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIs
H Contrex
 
Security officer kpi
Security officer kpiSecurity officer kpi
Security officer kpi
jomrichsa
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
Cigital
 
Fabricacion rueda2
Fabricacion rueda2Fabricacion rueda2
Fabricacion rueda2
pokefanstudios
 
Measures and metrics in corporate security
Measures and metrics in corporate securityMeasures and metrics in corporate security
Measures and metrics in corporate security
PLN9 Security Services Pvt. Ltd.
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
Manish Kumar
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Physical Security
Physical SecurityPhysical Security
Physical Security
PLN9 Security Services Pvt. Ltd.
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
InnoTech
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
NJVC, LLC
 
Security officer performance appraisal
Security officer performance appraisalSecurity officer performance appraisal
Security officer performance appraisal
taylorshannon964
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
Tripwire
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
Cigital
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
meghakumariji156
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
vineshkumarsajnani12
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
PanhandleOilandGas
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
IndeedSEO
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
kajalroy875762
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
meghakumariji156
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
nandhinijagan9867
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
ranineha57744
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
Eric T. Tung
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Admir Softic
 

Contenu connexe

En vedette

En vedette (7)

Physical Security
Physical SecurityPhysical Security
Physical Security
 
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
Building Bridges: Security Metrics to Narrow the Chasm Between Perception and...
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
 
Security officer performance appraisal
Security officer performance appraisalSecurity officer performance appraisal
Security officer performance appraisal
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 

Dernier

Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
vineshkumarsajnani12
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
jaehdlyzca
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 

Dernier (20)

Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 

A Security Metrics Story: Turning Data into Metrics

  • 1. A Security Metrics Story: Turning Data into Metrics George Campbell Emeritus Faculty, Security Executive Council Copyright 2008 Security Executive Council
  • 2. Key Objectives for Security Metrics  Positively influence action, attitude and policy  Materially impact exposure to specific risks  Demonstrate security’s value through clear alignment with business strategy and objectives  Measure the success of our diverse programs Copyright 2008 Security Executive Council
  • 3. Some Basic Definitions* *A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002 • Measurements- single point-in-time views of specific factors generated by counting. • Example: Number of life safety vulnerabilities detected by Security Officers on tours • Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis. • Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period Copyright 2008 Security Executive Council
  • 4. What do You Want to do With Your Metrics? • Report on Risk • Risk Awareness in Business Units • Reveal Lessons-Learned from Incidents • Track Trends • Track Program Performance • Measure Security’s Influence • Measure Security’s Value • Security Overview-A Report to Management • Other message or report? Copyright 2008 Security Executive Council
  • 5. Fundamental Requirement: Good Data! “Good” = – Timely incident & investigation reports competently prepared and reviewed by security management – Content of reports, logs and other data sources are valid, accurate and reliable – A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint – A data analysis process that enables and provides assurance of verifiable conclusions – Clear ownership and accountability for data reliability – Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure Copyright 2008 Security Executive Council
  • 6. What Types of Actionable Metrics? “There are three kinds of lies: Lies, damn lies and statistics.” Trends: external Lessons-learned Your Business Accountability and internal risk case results, defect Plan: program the diligence of line factors targeted by reduction, crisis after- performance business unit security programs action reviews against managers to quantifiable protect against Change: The “hygiene” objectives known risks relationship of security programs of the firm: Performance Security’s to an improved business conduct, measurement of effectiveness state of risk continuity, integrity, staff, vendors, etc. rated by customers management incident rates, etc. Value: Contributions to Project status: Standards & execution of the Risk management, schedules, budget Benchmarks: cycle times, cost business mission burn rates, results Us vs. best to plan, etc. practices & peers mgt. ROI, etc. and strategy Copyright 2008 Security Executive Council
  • 7. Moving From an Incident Trend to Metrics  Look at the next several slides. You will see four distinct processes related to incident analysis. Each step involves some form of assessment, measurement and consideration of related metrics.  More importantly, looking at risk this way helps form a more reliable assessment of root causes and the success of the revised security measures we propose to take. Copyright 2008 Security Executive Council
  • 8. Moving From an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents We begin with the area of risk we are concerned about. In this example, we have noted a disturbing trend of more frequent workplace violence incidents at a particular location. Metrics are embedded in the incident reports. For example: • Frequency? • Location? • Time? • Contributing conditions or circumstances? • Apparent cause? • Failed business process? • What was the business impact? • What are the characteristics of persons involved? Is the likely perpetrator an insider or outsider? Copyright 2008 Security Executive Council
  • 9. Moving from an Incident Trend to Metrics Area of Increases in frequency and severity of workplace violence incidents Risk Security not For past year 42% Post mortems Indicate 34% on night informed by HR Contributing Involved spousal poor coordination & shift involved of pending Vulnerabilities conflicts with training of HR & alcohol terminations restraining orders Security personnel What gaps in our security program may be contributing to this increase in frequency and severity of workplace violence incidents? When we have competent investigations with good incident reports we should drill down with a lessons-learned process that will reveal real causes rather than symptoms. Metrics are embedded in our findings regarding apparent vulnerabilities or failed security measures that contributed to the incident: • Is there a pattern in your findings that suggests a broader set of risks? • What business processes failed? Which ones should have mitigated risks like these? Who owns them? • What have we learned about the victims and perpetrators? Copyright 2008 Security Executive Council
  • 10. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Security not Contributing 34% on night Involved spousal poor coordination & informed by HR Vulnerabilities shift involved conflicts with training of HR & of pending alcohol restraining orders Security personnel terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented We now have a handle on broken processes and what it will likely take to fix them. Metrics are embedded in the post-incident steps taken to mitigate future incidents of this type: • What specific results are expected of the steps that have been taken? • What will the steps cost? • Who are the stakeholders? • How do we sell the proposed steps? Copyright 2008 Security Executive Council
  • 11. Moving from an Incident Trend to Metrics Area of Risk Increases in frequency and severity of workplace violence incidents For past year 42% Post mortems Indicate Contributing 34% on night Involved spousal poor coordination & Security not Vulnerabilities shift involved conflicts with training of HR & informed by HR alcohol restraining orders Security personnel of pending terminations New policies 1st line supervisors HR/Security Workplace on restraining receive managing Intervention violence protocols Mitigating orders & no aggressive Team formed & & training Actions alcohol on site behavior training trained implemented Increases in % reductions Post mortems Employee Measures % reductions reporting of in workplace show training & surveys show & Metrics in alcohol- restraining violence & intervention improved related cases orders confrontations techniques work safety Metrics are embedded in the results of the risk mitigation activities: • What were the positive or negative results vs. those planned? • What savings Copyright 2008 Security Executive Council or expenses will accrue
  • 12. Communicating Your Findings Using the data gathered from incident reports and case post-mortems during the past year on workplace violence incidents, we can build a couple of PowerPoint graphics to demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for presentation purposes. The chart utility is fairly easy to use and offers a lot of chart types and ability to play with content, appearance and analytical options such as trend analysis. Each of the following two slides may be used in a variety of opportunities: - Advise top management on risk mitigation activities - Demonstrate the effectiveness of a new or revised security measure - Demonstrate value by reducing potentially costly litigation and reputational risk - Engage and raise targeted business unit awareness of potential risk - Modify a business process for increased safety and productivity - Meet legal obligations for safe & secure workplaces - Contribute to improved employee morale - Celebrate an important collaboration Investigative post mortems are especially effective in developing the data for a briefing on this topic. What was learned, what have we done to prevent similar occurrences in the future, what were the outcomes for victims, employees and perpetrators? Copyright 2008 Security Executive Council
  • 13. Example: From our incident data base, we can construct an overall view of workplace violence for the current year: Internal Threat Termination Assistance Employee Conduct Ex-employee Conduct External Threat Domestic Violence (64% with restraining orders) Hostile Visitor Disgruntled Customer On site Telephone Threats* Mail Threats to Co. Bomb Threats 0 10 20 30 40 50 60 70 80 90 100 * Not bomb Copyright 2008 Security Executive Council 13
  • 14. Cumulative Impact of Steps Taken to Mitigate Workplace Violence at Assembly Plant # 4 100.0 80.0 60.0 40.0 20.0 0.0 -20.0 -40.0 -60.0 -80.0 -100.0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr % Increase/Decrease in alcohol-related workplace violence incidents % Increase/Decrease in successful intervention since manager training % Increase/Decrease in voluntary reporting of restraining orders % Increase/Decrease in coordinated Security/HR interaction Copyright 2008 Security Executive Council
  • 15. Summary • We own a unique database of business performance measures and metrics • Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior • Our programs can materially contribute to corporate health and profitability • We have an obligation to inform, educate and eliminate plausible denial • We need to graphically demonstrate to management how we are probing the weak spots and influencing change Copyright 2008 Security Executive Council
  • 16. Where to Find More on Security Metrics To learn more about the Security Executive Council and security metrics, go to www.securityexecutivecouncil.com. Portions of this presentation are from: Measures and Metrics in Corporate Security Copyright 2008 Security Executive Council
  • 17. George K. Campbell George is currently a member of the Emeritus Faculty of the Security Executive Council and a Managing Partner in the Business Security Advisory Group, a professional security consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the world’s largest privately owned financial services firm. Under George’s leadership, the global corporate security organization delivered a wide range of proprietary services including information security, disaster recovery planning, background, due diligence and criminal investigations, fraud prevention, property protection and security system engineering. During the period 1989-92 George owned his own security-consulting firm and from 1978-89 was Group Vice President at a system engineering firm supporting worldwide U.S. Government security programs. His criminal justice career from 1965 to 1978 was spent in various line and senior management functions within federal, state and local government agencies. He is a frequent contributor to professional security journals and seminars and is the author of Measures and Metrics in Corporate Security published in 2005 by the Security Executive Council. George received his baccalaureate degree (Police Administration) from American University, Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the International Security Management Association from 1998-2003 and as ISMA’s President in 2002-03. George is a member the American Society for Industrial Security since 1978. He is an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former member of the High Technology Crime Investigation Association and the Association of Certified Fraud Examiners. Copyright 2008 Security Executive Council