A Security Metrics Story:Turning Data into Metrics

Copyright 2008 Security Executive Council

A Security Metrics Story:

Turning Data into Metrics

George Campbell

Emeritus Faculty, Security Executive Council


Key Objectives for Security Metrics

Positively influence action, attitude and policy

Materially impact exposure to specific risks

Demonstrate security’s value through clear

alignment with business strategy and

objectives

Measure the success of our diverse programs


Some Basic Definitions*

*A Guide to Security Metrics, Shirley Payne, SANS Institute, 2002

• Measurements- single point-in-time views of specific factors generated by counting.

• Example: Number of life safety vulnerabilities detected by Security Officers on tours

• Metrics- comparing a pre-determined baseline of two or more measurements taken over time generated from analysis.

• Example: Change in number of life safety vulnerabilities detected by Security Officers on tours since last reporting period


What do You Want to do

With Your Metrics?

• Report on Risk

• Risk Awareness in Business Units

• Reveal Lessons-Learned from Incidents

• Track Trends

• Track Program Performance

• Measure Security’s Influence

• Measure Security’s Value

• Security Overview-A Report to Management

• Other message or report?


Fundamental Requirement:

Good Data!

“Good” =

– Timely incident & investigation reports competently prepared and reviewed by security management

– Content of reports, logs and other data sources are valid, accurate and reliable

– A platform that enables enterprise-wide data entry from all sources of incident and event data, query for trends, analytical searching and interface with tools such as Microsoft Excel and PowerPoint

– A data analysis process that enables and provides assurance of verifiable conclusions

– Clear ownership and accountability for data reliability

– Regardless of source, it must be quantifiable, repeatable (for trending), obtainable and feasible to measure


What Types of Actionable Metrics?

Your Business Plan: program

performance against

quantifiable objectives

Trends: external and internal risk

factors targeted by security programs

Change:relationship of

security programs

to an improved

state of risk

management

Standards & Benchmarks:

Us vs. best practices & peers

Accountabilitythe diligence of line

business unit managers to

protect against known risks

Value:Risk management,

cycle times, cost

mgt. ROI, etc.

Security’s

effectivenessrated by customers

Lessons-learnedcase results, defect

reduction, crisis after-

action reviews

Performance measurement of

staff, vendors, etc.

The “hygiene”

of the firm:business conduct,

continuity, integrity,

incident rates, etc.

Project status:schedules, budget

burn rates, results

to plan, etc.

Contributions to

execution of the

business mission

and strategy

“There are three kinds of lies: Lies, damn lies and statistics.”


Moving From an Incident Trend

to Metrics

Look at the next several slides. You will see four

distinct processes related to incident analysis. Each

step involves some form of assessment, measurement

and consideration of related metrics.

More importantly, looking at risk this way helps form a

more reliable assessment of root causes and the

success of the revised security measures we propose to

take.


Area ofRisk Increases in frequency and severity of workplace violence incidents

Moving From an Incident Trend to Metrics

We begin with the area of risk we are concerned about. In this example, we

have noted a disturbing trend of more frequent workplace violence incidents

at a particular location. Metrics are embedded in the incident reports. For

example:

• Frequency?

• Location?

• Time?

• Contributing conditions or circumstances?

• Apparent cause?

• Failed business process?

• What was the business impact?

• What are the characteristics of persons involved? Is the likely

perpetrator an insider or outsider?


Area ofRisk

ContributingVulnerabilities

For past year 42%

Involved spousal

conflicts with

restraining orders

34% on night

shift involved

alcohol

Post mortems Indicate

poor coordination &

training of HR &

Security personnel

Security not

informed by HR

of pending

terminations

Increases in frequency and severity of workplace violence incidents

Moving from an Incident Trend to Metrics

What gaps in our security program may be contributing to this increase in

frequency and severity of workplace violence incidents? When we have

competent investigations with good incident reports we should drill down

with a lessons-learned process that will reveal real causes rather than

symptoms. Metrics are embedded in our findings regarding apparent

vulnerabilities or failed security measures that contributed to the incident:

• Is there a pattern in your findings that suggests a broader set of risks?

• What business processes failed? Which ones should have mitigated

risks like these? Who owns them?

• What have we learned about the victims and perpetrators?


Area ofRisk


MitigatingActions

For past year 42%

Involved spousal

conflicts with

restraining orders

34% on night

shift involved

alcohol


poor coordination &

training of HR &

Security personnel

Security not

informed by HR

of pending

terminations

New policies

on restraining

orders & no

alcohol on site

1st line supervisors

receive managing

aggressive

behavior training

Workplace

violence protocols

& training

implemented

HR/Security

Intervention

Team formed &

trained


Moving from an Incident

Trend to Metrics

We now have a handle on broken processes and what it will likely take to fix

them. Metrics are embedded in the post-incident steps taken to mitigate

future incidents of this type:

• What specific results are expected of the steps that have been taken?

• What will the steps cost?

• Who are the stakeholders?

• How do we sell the proposed steps?


Area ofRisk


MitigatingActions

Measures& Metrics

For past year 42%

Involved spousal

conflicts with

restraining orders

34% on night

shift involved

alcohol


poor coordination &

training of HR &

Security personnel

Security not

informed by HR

of pending

terminations

New policies

on restraining

orders & no

alcohol on site

1st line supervisors

receive managing

aggressive

behavior training

Workplace

violence protocols

& training

implemented

Increases in

reporting of

restraining

orders

% reductions

in workplace

violence &

confrontations

% reductions

in alcohol-

related cases

Post mortems

show training &

intervention

techniques work

HR/Security

Intervention

Team formed &

trained


Moving from an Incident

Trend to Metrics

Employee

surveys show

improved

safety

Metrics are embedded in the results of the risk mitigation activities:

• What were the positive or negative results vs. those planned?

• What savings or expenses will accrue


Communicating Your Findings

Using the data gathered from incident reports and case post-mortems during the past

year on workplace violence incidents, we can build a couple of PowerPoint graphics to

demonstrate the impact of our risk mitigation activities. I use Microsoft PowerPoint for

presentation purposes. The chart utility is fairly easy to use and offers a lot of chart

types and ability to play with content, appearance and analytical options such as trend

analysis.

Each of the following two slides may be used in a variety of opportunities:

- Advise top management on risk mitigation activities

- Demonstrate the effectiveness of a new or revised security measure

- Demonstrate value by reducing potentially costly litigation and reputational risk

- Engage and raise targeted business unit awareness of potential risk

- Modify a business process for increased safety and productivity

- Meet legal obligations for safe & secure workplaces

- Contribute to improved employee morale

- Celebrate an important collaboration

Investigative post mortems are especially effective in developing the data for a briefing

on this topic. What was learned, what have we done to prevent similar occurrences in

the future, what were the outcomes for victims, employees and perpetrators?

Copyright 2008 Security Executive Council 13

Example: From our incident data base, we can construct an

overall view of workplace violence for the current year:

Termination Assistance

Employee Conduct

Ex-employee Conduct

Domestic Violence

Hostile Visitor

Disgruntled Customer

On site

Telephone Threats*

Mail Threats to Co.

Bomb Threats

External Threat

Internal Threat

0 10 20 30 40 50 60 70 80 90 100* Not bomb

(64% with restraining orders)


Cumulative Impact of Steps Taken to Mitigate

Workplace Violence at Assembly Plant # 4

-100.0

-80.0

-60.0

-40.0

-20.0

0.0

20.0

40.0

60.0

80.0

100.0

1st Qtr 2nd Qtr 3rd Qtr 4th Qtr

% Increase/Decrease in alcohol-related workplace violence incidents

% Increase/Decrease in successful intervention since manager training

% Increase/Decrease in voluntary reporting of restraining orders

% Increase/Decrease in coordinated Security/HR interaction


Summary

• We own a unique database of business performance measures and metrics

• Our metrics enable and support a key value proposition: our ability to positively influence enterprise protection, corporate policy and behavior

• Our programs can materially contribute to corporate health and profitability

• We have an obligation to inform, educate and eliminate plausible denial

• We need to graphically demonstrate to management how we are probing the weak spots and influencing change


Where to Find More on

Security Metrics

To learn more about the Security Executive Council and security

metrics, go to www.securityexecutivecouncil.com.

Portions of this presentation are from:

Measures and Metrics in Corporate Security

http://www.securityexecutivecouncil.com/

https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=180





George K. Campbell

George is currently a member of the Emeritus Faculty of the Security Executive Council and a

Managing Partner in the Business Security Advisory Group, a professional security

consultancy and is a He retired in 2002 as Chief Security Officer at Fidelity Investments, the

world’s largest privately owned financial services firm. Under George’s leadership, the global

corporate security organization delivered a wide range of proprietary services including

information security, disaster recovery planning, background, due diligence and criminal

investigations, fraud prevention, property protection and security system engineering. During

the period 1989-92 George owned his own security-consulting firm and from 1978-89 was

Group Vice President at a system engineering firm supporting worldwide U.S. Government

security programs. His criminal justice career from 1965 to 1978 was spent in various line

and senior management functions within federal, state and local government agencies.

He is a frequent contributor to professional security journals and seminars and is the author of

Measures and Metrics in Corporate Security published in 2005 by the Security Executive

Council.

George received his baccalaureate degree (Police Administration) from American University,

Washington, D.C. in 1965. He is a Life Member and served on the Board of Directors of the

International Security Management Association from 1998-2003 and as ISMA’s President in

2002-03. George is a member the American Society for Industrial Security since 1978. He is

an alumnus of the U.S. Department of State, Overseas Security Advisory Council, former

member of the High Technology Crime Investigation Association and the Association of

Certified Fraud Examiners.






http://www.bsag-cso.com/





