Measures and Metrics in Corporate Security

Posted on by Ben Rothke

Two of the most famous quotes from Lord Kelvin are “to measure is to know” and “if you can not measure it, you can not improve it”.  With that, in Measures and Metrics in Corporate Security, author George Campbell provides a quick and high-level introduction to the topic of metrics and measurement.   Campbell is the former Chief Security Officer at Fidelity Investments, where metrics are used heavily.

Security metrics are a key initiative for many CISO’s. But what they often struggle with is how to find the right information security metrics, and how do they use them for functionally operational measurements that can be used to support the business.


The first part of the book contains the following 3 chapters which encompass the first 70 pages:

Chapter 1: The Basics

Chapter 2: Types of Metrics and Performance Indicators Appropriate to the Security Mission

Chapter 3: Building a Model Appropriate to Your Needs

 The next 70 pages contain the following appendixes:

 Appendix 1: Examples of Security-Related Measures and Metrics

Appendix 2: Trade Associations and Other Organizations with Security Voluntary Compliance Programs

Appendix 3: Sample High-Level Security Work Breakdown Structure

Appendix 4: Physical Security Cost Estimating Tables

Appendix 5: Risk Measure Maps

The book does not have a companion web site.  And it would have been quite beneficial if the templates detailed in the appendixes were available in soft copy.

The book notes that security metrics can be easy to create. But really good security metrics, those that can add value to the organization can be difficult to develop. For those that are looking to create good security metrics, Measures and Metrics in Corporate Security is a good starting point.

Ben Rothke

Senior Information Security Manager, Tapad

Business Perspectives

data security threat intelligence metrics

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs