| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Vision
In the previous article, we learnt the basic concepts of measuring the effectiveness of information security processes. Of course, for a holistic approach, you should refer to international best practices and standards that describe recommended approaches to quantifying the quality of cybersecurity processes. NIST publication SP 800-55 and ISO/IEC 27004:2016 are such recommendations.
The NIST SP 800-55document, Performance Measurement Guide for Information Security, was published in 2008, and is currently preparing to release its 2nd edition. The document takes an interesting conceptual approach to IS performance measurement: all terminology and requirements are logically related to other NIST 800-series standards, and this publication emphasises the importance of supporting IS measurement processes at all levels of company management, with benefits such as increased process transparency, improved IS effectiveness, simplified compliance procedures, measurable inputs for informed resource allocation decisions, and budget savings through processing
The paper also identifies factors that can lead to difficulties in a project to implement correct IS process metrics: lack of resources, lack of training/skills, number of new and updated information systems without implemented protective measures, software compatibility with security features, lack of support from company management, lack of documented IS policies and procedures, vulnerabilities and flaws in system architecture, inefficiently designed planning and implementation processes, including switch processes
Metrics chosen to measure the effectiveness of cybersecurity processes include automation of information gathering and the complexity of this process, availability of data for analysis, operational IS procedures, and IS processes. To assess maturity, metrics used to assess maturity include metrics for achieving the goals of the information security units directly, an assessment of the complexity of implementing IS processes, metrics for efficiency and cost-effectiveness, and an assessment of the impact of cybersecurity on business processes. For the assessment, a quantitative metric is generally used, expressed as a percentage of the current number of actions performed to the maximum value of the number of measures implemented.
The following steps are suggested to implement IS metrics:
1. Prepare for data collection for IS performance assessment, including development and approval of an IS metrics implementation plan with roles and responsibilities assigned, approval of the data collection process, assessment tools, communication and reporting.
2. Collecting data and analysing results, including aggregating collected information, consolidating in a standard format, conducting gap analysis to assess the amount of uncollected data, identifying causes of difficulties and ways to improve.
3. Identify corrective actions, including defining their scope, prioritising and selecting the most relevant corrective steps.
4. Providing a business case and allocating resources.
5. Implementing the corrective actions.
The following are provided as a sample list of information security metrics:
1. Percentage of IT budget allocated to cybersecurity (note that this metric may be considered outdated, as IS departments of large companies now typically have an independent budget)
2. Percentage of high-level vulnerabilities (CVSS) remediated from the moment of detection over a specified period of time. 3.
3. Percentage of remote connection points that can be exploited for unauthorised access
4. Percentage of employees who have received information security training
5. Average frequency of audit log analysis to detect unauthorised operations
6. Percentage of agreed and implemented configuration changes (in relation to the total number of changes made)
7. Percentage of information systems that have undergone annual business continuity and recovery testing
8. Percentage of staff with access to shared or non-personalised accounts 8.
9. Percentage of incidents handled within the time period specified for each category
10. Percentage of information systems that go out for maintenance according to a documented schedule
11. Percentage of storage media that undergo data cleansing (sanitisation) prior to disposal
12. Percentage of incidents of unauthorised physical access to premises with information systems
13. Percentage of employees who gain access to information systems only after being familiarised, against signature, with the rules for working with them 14.
14. Percentage of employees checked by the Security Service who gain access to corporate information systems 15.
15. Percentage of contracts for the purchase of systems and services in which information security requirements/specifications were specified
16. Percentage of software vulnerabilities that have been patched.
The document also presents a set of metrics that can be applied when developing or maintaining information systems. Measures provided include:
1. Percentage of product flaws/defects that negatively impact the cybersecurity posture of the information system
2. Percentage of IS measures incorporated in the design and development of the system
3. Number of entry points into the system applicable for transmitting potentially malicious control signals
4. Number of vulnerabilities and where they are found
5. Number of deviations of the model and final product from IS requirements
6. Percentage of eliminated vulnerabilities
7. Deviation in IS plans and costs from those included in the information system implementation/acquisition project
8. Percentage of unfulfilled IS requirements.
In addition to the above metrics, other metrics can be used such as:
1. Percentage of normally functioning asset properties after a cyber attack
2. Average length of the cyberattack graph (number of network nodes before the IT asset being assessed)
3. Percentage of compromised hosts on the network over a period of time
4. Probability of exploitation of the IT asset vulnerability (can be calculated based on CVSS metrics)
5. Level of negative impact of the exploit after successful launch
6. Number of potential cyber attack vectors and paths in the network
7. Percentage of IT assets that can be promptly replaced by alternative solutions or restored from backups
8. Are there redundant/reserved IT resources for critical business processes?
9. Availability of information systems supporting business processes
10. Shortest path to compromise an IT asset (based on cyber attack graphs)
11. Percentage of hosts in the network for which vulnerabilities are known.
