Traditional operational security metrics such as number of machines
patched, vulnerability scan results, number of incidents, and number of
staff trained are easy to collect and can be useful. However, if your
objectives are to inform decisions, affect behavior, and determine
in support of business objectives, you'll need to consider a set of
more strategic resilience measures. This presentation suggests 10 such
measures and a means for deriving them.
About the Speaker
Allen is a principal researcher within the CERT Program at the SEI.
Allen's areas of interest include operational resilience, software
security and assurance, and measurement and analysis. Prior to this
technical assignment, Allen served as acting director of the SEI for an
interim period of six months as well as deputy director/chief operating
officer for three years. She earned a bachelor's degree in computer
Science from the University of Michigan and a master's degree in
electrical engineering from the University of Southern California. Allen
is the author of The CERT Guide to System and Network Security
Practices (Addison-Wesley 2001) and moderator for the CERT Podcast
Series: Security for Business Leaders. She is a co-author of Software
Security Engineering: A Guide for Project Managers (Addison-Wesley 2008)
and CERT Resilience Management Model (RMM): A Maturity Model for
Managing Operational Resilience (Addison-Wesley 2011).