Research Paper: Information Security and Assurance

Pages: 4 (1223 words)  ·  Bibliography Sources: 4  ·  Level: Master's  ·  Topic: Business  ·  Buy This Paper

¶ … Metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements. & #8230; (Swanson, n.d.)

Metrics are a set of security processes that, when applied to the security system, are intended to monitor the status of the security process, identify and prevent problems, and facilitate improvement by applying corrective action. Security breaches often occur due to a mixture of defective communication protocols, lack of awareness of security procedures or recklessness, defective software designs, improper procedures, bad configurations of systems, and so forth (Pedro & Ashutosh, 2010). Organizations, such as the Trusted Computer System Evaluation Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC), Systems Security Engineering Capability Maturity Model (SSE-CMM), and the Common Criteria have, therefore, formulated a series of standards, or models, and metrics that are intended to identify and prevent problems and correct problem when occurring (Jansen (n.d.)). The models that formulate the metrics and the metrics (i.e. measurements themselves) help organizations in that they seek out security problems before occurring and address them if and when they do occur.

Models and Metrics

There is a difference between models and metrics. Models measure discrete factors of data at a single point in time and formulate theoretical or quantitative conclusions, whilst metrics are a result of the analysis and are an objective or subjective interpretations of the numerical data points (Chowdhary & Mezzeapelle, n.d.). Metrics are a derivation of the models. They are an instrument of the models and are used to apply the insights of the models to security systems doing so in a quantitative or qualitative fashion. By being applied in a practical way, they also test the instrumentality of the models and see whether the models do indeed work and if so in a replicated fashion. The different models -- with metrics as their offshoot -- are devised as a security process in order to identify security problems if and when they occur and to address them.

Security metrics can be categorized in various ways. You can either categorize them according to the maturity level of the process, i.e. metrics that are popularly and traditionally used of constructing and monitoring the system. These include security processes as well as procedures and training used when designing, configuring, operating and maintaining the system. And then there are those metrics that test for and denote the extent to which security is, or is not, present in a system. These include those that test the security posture of a system and the risk level involved (Pedro & Ashutosh, 2010).

The three main categories of models and metrics

1. Implementation models are used in connection with implementing information security programs, specific security controls, and similar policies and procedures. Operational metrics are developed from these measures and are usually quantitative in nature relating to business unit managers, security in the business unit, and security managers.

2. Effectiveness / efficacy models assess whether program-level processes and system-level security controls are used correctly and providing the desired outcome. Efficacy metrics are derived from these and ensure that the organization is run in an effective way with valuable data being safe and locked up not leaking out.

3. Business impact models are used to describe the impact of information security on an organization's goals.

Business-centric metrics are developed from these measures and are usually practical, comprehensive and analytical with the audience generally consisting of senior executives and other leading personnel (Chowdhary & Mezzeapelle, n.d.)

These are just… [END OF PREVIEW]

Information Security Legal and Ethical Implications Thesis


Security Policy Dr. Fossett's Dental Office Term Paper


Security Architecture and Design Models Article Review


Models and Assessments Reduction of Information Risks Research Paper


Security and Online Privacy Regulations: An Analytical Research Proposal


View 556 other related papers  >>

Cite This Research Paper:

APA Format

Information Security and Assurance.  (2012, February 7).  Retrieved October 16, 2019, from https://www.essaytown.com/subjects/paper/information-security-assurance/159249

MLA Format

"Information Security and Assurance."  7 February 2012.  Web.  16 October 2019. <https://www.essaytown.com/subjects/paper/information-security-assurance/159249>.

Chicago Format

"Information Security and Assurance."  Essaytown.com.  February 7, 2012.  Accessed October 16, 2019.
https://www.essaytown.com/subjects/paper/information-security-assurance/159249.