Measuring security

Abstract

Measuring Security is a clear need widely spread in the field of Cyber Security. It is part of the standardized risk management, such as ISO 27001, and it is an essential tool in the PDCA cycle of continuous improvement.On the other hand, in Physical Security environment just a few organizations are still using risk management systems oriented on continuous improvement, based on PDCA cycles, such as ISO 31000. This may be the reason why Physical Security does not have extended experience on how to measure its performance. Notwithstanding, Managing Security, Information Technology, Customs Relations, Production, or any other function of a company or organization should be measured. Obviously what it is not measured cannot be evaluated. And if you cannot evaluate a function of a company, how do you know if their leaders are doing well? How do you know if you are providing appropriate resources or not? In this paper we analyze which Security aspects can be measured and how. Several sets of parameters are proposed to be considered, in order to analyze the Security resources of an Organization: Effectiveness (incidents and the success of his rejection); Efficiency (money, people, work hours); Performance (equipment breakdowns attendance times, officers absenteeism, etc.); Evolution of the threats addressed (incidents and attempts); Maturity of the resources (projects planned, implemented, on operation, audited). The existence of a methodology for measuring Security is essential in the implementation of a risk management system focused on continuous improvement. Measuring Security is a key to propose organizational goals and generate benchmarking among different branches or at different moments. Cuevavaliente Ingenieros has specific experience on implementing security metrics for international companies.