The adage “you can’t manage what you can’t measure” is true in business and equally true for information security. How else will you know if you’re doing better and how will you know if your investments are providing any return? The simple answer is you won’t. Measurement is critical to managing everything, and in our case, managing an information security program.
As important as the measurement itself is what we’re trying to measure. We measure information security, and we define information security as:
Managing risk to unauthorized disclosure, alteration, and destruction of information using
administrative, physical, and technical controls.
If we assume that this is a valid definition, which it is, then information security starts with managing risk. Measure risk and you measure information security. Simple as that.
There are numerous ways to measure most things, and information security risk is no different. For the measurement we define (S2SCORE) to be valid it must meet these three criteria:
- It must be objective. Objective criteria are well-defined and easily validated, subjective criteria are reliant on perspective, interpretation, and/or opinion. The more objective measurement is, the more valid it is.
- It must be consistent. A measurement must be the same every time it is used. If the criteria don’t change, nor should the measurement. Consistent application allows for the determination of changes or deltas in the state of something, in our case an information security program. When the state of our information security program changes, we can determine the impact of the change based on previous measurements.
- It must be relevant. If a measurement of something isn’t comprised of relevant elements, criteria, and/or characteristics, then it’s useless. Distance is an easy measurement for most people to relate. In 1150 AD, King David I of Scotland defined the old English ynce as the breadth of a man’s thumb at the base of the nail. The measurement was objective and relevant, but it wasn’t consistent because different men have different thumb sizes. Recognizing this issue, the King decided to apply the average of three men’s thumbs, one small, one medium, and one large. Thus, the inch became a valid measurement of distance. SecurityStudio defined our information security inch. It’s important to note, just like the inch isn’t the only valid measurement unit for distance, the S2Score probably isn’t the only valid measurement unit for information security risk.
Distance is an easy measurement for most people to relate. In 1150 AD, King David I of Scotland defined the old English ynce as the breadth of a man’s thumb at the base of the nail. The measurement was objective and relevant, but it wasn’t consistent because different men have different thumb sizes. Recognizing this issue, the King decided to apply the average of three men’s thumbs, one small, one medium, and one large. Thus, the inch became a valid measurement of distance.
SecurityStudio defined our information security inch.
It’s important to note, just like the inch isn’t the only valid measurement unit for distance, the S2Score probably isn’t the only valid measurement unit for information security risk
Maturity and S2SCORE
Maturity and S2SCORE are both measurements; however, they don’t measure the same thing and one is more valid than the other.
Arguably the most common reference for maturity is the Capability Maturity Model Integration (or “CMMI”) administered by the CMMI Institute, a subsidiary of the Information Systems Audit and Control Association (or “ISACA”). The model was originally developed by Carnegie Mellon University in 1986 as a process level improvement training and appraisal program and has since been modified to fit many different applications, including information security.
There are five levels defined in the CMMI:
• Level 1 – Initial; processes are unpredictable, poorly controlled and reactive.
• Level 2 – Managed; processes are characterized for projects and are often reactive.
• Level 3 – Defined; processes are characterized for the organization and are proactive.
• Level 4 – Quantitatively Managed; processes are measured and controlled.
• Level 5 – Optimizing; focus is on process improvement.
Maturity is a common metric, used by many within the information security industry as a measurement
of information security program performance and risk. The problems with using maturity as a
- Maturity, by itself, is an indicator of information security program performance and risk, but it is not a valid measurement. There’s more to information security than maturity, especially when we consider our definition (above).
- Maturity is most often determined and applied subjectively. Subjective measurements are valid ones. Objectivity is the first measurement validity requirement.
- The application of maturity as a metric is often inconsistent between organizations and even within an organization from assessment (or measurement) to assessment. This violates our consistency requirement.
SecurityStudio recognizes the value in the CMMI and in using maturity as a risk indicator but does not use the CMMI as a measurement of information security program performance or risk.
For organizations who use maturity as a measurement, SecurityStudio has vastly improved its validity. Within SecurityStudio, maturity is measured objectively and consistently, which makes maturity a valid metric for measuring program maturity; however; it still fails for relevance because of the definition between maturity and information security.
The S2SCORE was built as a measurement of information security program performance and risk. The metric fits our three criteria for measurement (above) and is compatible with traditional maturity measurements
S2SCORE uses maturity as it’s intended, as an indicator of performance and risk; however, the S2SCORE also accounts for our definition of risk:
The likelihood of something bad happening and impact if it did.
Likelihood and impact are derived from threats and vulnerabilities. In this context, maturity applies more to control weakness (or vulnerabilities) as much (or more) than anything else.
Applying our measurement validity test to S2SCORE:
- The measurement must be objective. The S2Score is based on binary data and it is what it is. The measurement cannot be manipulated except through deception (or lying).
- The measurement must be consistent. Application of the S2Score is the same from one organization to the next allowing for comparison between organizations, and it’s applied consistently over time allowing for state changes within an organization (improvements, digressions, and external threat factors).
- The measurement must be relevant. One part of the assessment (the part the users see) is metrics related to information security control weaknesses (or vulnerabilities), while the other part of the assessment (the part that users don’t see) is related to threats. The result of applying threats to weaknesses is our definition of risk and by proxy information security. The S 2Score is completely relevant to what it is we’re attempting to measure.
NOTE: S2SCORE is not the only measurement any more than an inch is the only measurement of distance. It is a valid measurement, and it’s obviously one we use and highly recommend.
As you can see, maturity and information security risk measurement are two different, but related things. The S2SCORE is a measurement of information security risk; whereas, maturity is an indicator of information security risk. SecurityStudio’s S2Org measures both but uses them in a more accurate context.
If you’re used to using maturity as an information security measurement, we designed the S2Org to help you transition to the S2SCORE. For more information about the S2Score, see: About the S2SCORE or contact SecurityStudio
Quick About SecurityStudio
SecurityStudio (or S2) is a community and mission-driven information security solutions company dedicated to simplifying information security management and compliance. We help people and organizations in all industries (public and private) master information security fundamentals by providing practical tools on our best-in-class SaaS platform and through our trusted service partners.
The S2 platform is the premier risk and digital safety assessment tool in the world. Driven through our easy to use interface, information security risks can be assessed and managed for individuals (consumers and employees/personnel), the organizations they work for (public and private sector), and their vendors. With more than 3,000 assessments completed, our platform has been proven to be successful in simplifying and improving information security for hundreds of thousands of people.
• S2SCORE – our quantitative scoring metric, plotted on a scale between 300-850.
• S2Org – our organizational information security risk assessment tool.
• S2Vendor – our third-party information security risk assessment tool.
• S2Team – our team/personnel information security risk assessment tool.
• S2Me – our personal information security risk assessment tool.