Information Security is an integral part of any IT system that should
not be overlooked. However, sometimes it can be rather difficult to
justify the budget spent on this IT component. In order to estimate the
value of the security control methods executives traditionally use ROI
(Return on Investment) and ROSI (Return on Security Investment)
frameworks. However, these systems don't always reflect the actual
efficiency of the security means. Because of the varying degrees of ROI
and ROSI success many organizations opt for the Balanced Scorecard
approach for their IT security performance evaluation. In this brief
post we are going to define the basic principles of the BSc evaluation
framework, as well as give examples of the Information Security key
performance indicators.
Scorecard in Brief
Balanced business
evaluation framework has been around for about 15 years. It was
initially introduced in 1992 as a way to demonstrate the implementation
of non-material, intangible business goals. Ever since the first
publication, the framework has become tremendously popular with
organizations of different nature: military units, schools,
manufacturing, and non-profit companies. This business strategy
evaluation system gives a holistic picture of the company's well-being
from four viewpoints or Perspectives (three non-financial, and one
financial). Such a scorecard helps answer the most crucial questions of
any business entity:
What do our customers think about us? - Customer Perspective.
What are the underlying drivers of our success? - Internal Processes Perspective.
Do we work on improvement of our product? - Learning and Growth Perspective.
What do our shareholders think about our financial health? - Financial Perspective.
The
presence of different perspectives allows business owners not only
evaluate their company's performance, but identify the aspects that
influence on the firm's success the most.
Balanced Scorecard in Information Security
In
fact, the BSc approach to Information Security evaluation serves as a
bridge between employees and senior executives, since it can represent
complicated IT data in a way that is comprehensible by people who has
nothing to do with Information Technology. Moreover, this framework can
encompass and monetize aspects which seem to be intangible at first
sight. This is where key performance indicators come into play.
Identifying Key Performance Indicators for Information Security
These
measures make the core of any strategy evaluation system. Creating
metrics for Information Technology needs doesn't have to be daunting.
Information Security consists of the following levels: Information
Availability, Information Integrity, Information Authenticity, and
Personnel Protection (this level is often argued). Thus, when you have
these categories in your evaluating system, you can measure the number
of failure events for each level. By doing this you will create
measurable entities for your business evaluation framework.
However,
identifying the right KPIs is only half the battle. Another half is
creating an effective system of data mining. Without gathering actual
information on each KPI it is impossible to get a holistic picture of
your business entity operation. The number of metrics should not be
great. Too much metrics result in numerous reports and application forms
for your employees, and these can be very distractive.
No comments:
Post a Comment