Just like any other facet in a company, even IT security has to be measured. Without such measurement, the company cannot know for sure if the system incorporated by IT security is indeed as efficient as it should be. This is precisely why there is a need for IT security metrics to be implemented.  Janco has a HandiGuide , Metrics for the Internet, Information Technology, and Service Management, which has specific metrics defined for every facet of IT technology.

In its simplest form, there are a number of levels at which IT security metrics can be obtained in company or an organization. But what usually happens here is that metrics are collected right down at the system level. Depending on the need and the size of the company or organization, these metrics are then moved upwards onto higher levels. Regardless of how these detailed metrics are moved upwards, what remains here is the fact that IT security metrics should be founded on the objectives and performance goals implemented by IT security.

If you are wondering just how IT security metrics can monitor the progress of such objectives and goals being accomplished, it is actually quite pretty simple. It is through the quantifying of certain aspects entailed in the process. These aspects include the security controls implemented, as well as the efficiency of such controls, the analysis on just how adequate certain implemented activities concerning security have been, and the id

entification of proper courses of action geared towards improvement. All of these aspects should be quantified so that the accomplishment of said objectives and goals would be achieved in the long run. Aside from these, the objectives and goals of other facets in the organization have to be determined and added to the list of priorities as well. This should be done so that all measurable factors of security performance will be guided accordingly, with the company's operational priorities in mind. These measurable factors include the objectives and goals of legislation, federal, regulations, and both external and internal guidance.

It is very difficult to compare collected data if they are not quantifiable because it is through the use of quantifiable data that unbiased comparisons would be made. What's more, without quantifiable data, it would be very hard to utilize the appropriate formulas needed for further data analysis. Aside from the data being quantifiable, the process used in the analysis of such data should be measurable as well.

Beyond being quantifiable, IT security metrics have to be accurate in monitoring the overall performance of the company, as well as directing its funds and resources accordingly. For IT security metrics to be very beneficial, these should have the ability to determine and predict future trends in terms of performance. This way, the company can come up with the much needed solutions to address future needs that would come about.

There is no question about it that the utilization of IT security metrics is indeed very beneficial. There are many organizational benefits to this endeavor. Firstly, the data collected actually enables the members of the management to determine the specific controls that are not enforced correctly. These controls may be operational, technical, or even managerial in nature. With the implementation of IT security metrics, these are determined more easily.