Issue link: https://securitytechnologyexecutive.epubxp.com/i/431828
12 SECURITY TECHNOLOGY EXECUTIVE • November/December 2014 www.SecurityInfoWatch.com METRICS FOR SUCCESS B y G e o r ge C a m p b ell I can't imagine that any security practitioner who has had even the most cursory contact with the news in the past decade could be uncon- scious regarding the insider threat. Frankly, and depending only somewhat upon what business you are in, I can't imagine any security manager failing to consider their company's expo- sure to the knowledgeable insider adver- sary. They have the keys after all. Our national and financial security have been notably impacted by insiders exploit- ing defective internal controls and the respected Ponemon Institute annually publishes a litany of insider risk trends that underscore the cost of reputational risk by strategically-placed insiders in "positions of trust." Insider protection doctrine establishes several principles that drive the consider- ation of alternative approaches to perfor- mance measurement: 1) identify process criticalities and assess risk; 2) establish processes to assure trust in employee integrity; 3) foster deterrence through a security-aware workforce; 4) limit access to sensitive information; 5) employ responsive measures to monitor the effective- ness of information access and insider behavior; 6) detect anomalous or malicious activity; and 7) respond with timely and measurably effective remedies to such activities. In spite of some published assessments that there are few if any metrics directed to measuring this sector of operational risk, I believe there are several areas of fruitful exploration for both risk and performance measures. The chart below dis- plays just a few I feel are worthy of consideration. Outputs of inspections, investigations and risk assessments — Assuming you competently inspect and assess to uncover defective internal controls or security measures and conduct internal investigations, these results should offer up a host of conclusions you have passed on to the business unit or process owner. What was the result of the steps they took to address these gaps and how measurably effective have those actions been to remove the vulnerabilities? Scoping process controls across the spectrum of delivery — this entails end-to- end analysis and addresses third-party ownership and effectiveness of insider risk management. Quantifying the Insider Threat It is important to assign metrics to this aspect of operational risk George Campbell is emeri- tus faculty of the Security Executive Council (SEC) and former CSO of Fidel- ity Investments. His book, Measures and Metrics in Corporate Security, may be purchased at www.securi- tyexecutivecouncil.com. (continued on page 36) Percent of security defects identified in inspections and incident post-mortems deemed to be common across multiple locations and business processes. Percent of test subjects who after 12 months of service retain principal elements of security responsibilities delivered in training. Percent of high risk processes residing within 3rd parties that have completed risk assessments & all notable vulnerabilities confirmed as mitigated by test. Percent of known vulnerabilities identified as primary root cause of insider-directed incidents. Percent of security defects identified in inspections and incident post-mortems confirmed by test as effectively mitigated. 0 10 20 30 40 50 60 70 80 90 Q3 Q2 Q1 Key Performance Indicators Directed to the Insider Threat