Many people find the idea of creating Information Security Metrics to be a daunting task. This article will help you by reviewing what is required to create a set of meaningful metrics for your Information Security Program.
A number of years ago I was working on an information security strategy and was asked to create the metrics to measure the success of our Information Security program. I was given the name of our local specialist on results analysis and asked her "How can we measure the success of our information security program?". Her immediate response was "What are your objectives?". That reply took me a bit by surprise but what she was asking me , basically, was "How can you tell when you get there if you don't know where you're going?" A bit like the Cheshire Cat in Alice in Wonderland who told her it didn't matter much which road she took if she didn't know where she was going.
As an answer to her I proudly replied "Our objective is to ensure that our information is secure!". The next question of course is what are all the steps (the road map) to get there; i.e. the intermediate objectives? This would require ensuring that all staff were aware of the need for information security, and providing them with the standards, guidelines, forms, and procedures to identify the right security controls required.
In this context then the term "metrics" refers to specific objectives that have defined measurements (i.e. Objective+Measurement=Metric).