Rigorous quantitative analysis is required to free security and risk decision makers from the murky domain of unsubstantiated hypotheses and ambiguous guidance from so-called "best practices". Information Security, as a systems and network management sub-specialty, must mature into an accountable discipline with transparent and well-understood criteria for goal attainment and investment payoff.
As Lord Kelvin famously said: "Without numbers, knowledge is of a meagre and unsatisfactory kind".
Security programs must evolve to a state where they are continuously measured and analysed to drive deeper understanding. Such knowledge will enable more informed decisions that will inevitably yield improvement and reduce risk. Many fields have successfully executed similar transitions from qualitative to quantitative models for risk and its management. In each case, a relentless focus on empirical research and sound quantitative analysis has provided the foundation. Metrics Management is core infrastructure for this foundation.
Toward the goal of providing accessible and reliable Security Metrics Management, MetricsCenter, powered by PlexLogic, offers four primary user-visible services in addition to a backend platform for quantitative data analysis:
No formal relationship with MetricsCenter or PlexLogic is required for read-only access to the public area of this web site. The public area includes a growing and regularly updated collection of Metric Dashboards, a public , read-only Metrics Catalog, and Resources pages.
The private area provides services for anonymized information submission, collaborative metrics development, sophisticated analytics, and metric results sharing. Access to the private area requires a login account with appropriate entitlements. Private MetricsCenter services are delivered under a Software as a Service (SaaS) model. Accounts are available on an annual subscription basis. Please send an email to info at plexlogic dot com to receive more information.
The Catalog is a tool that you can use to organize and share metric definitions and link these definitions with other important objects such as Contexts, Datasets, Dimensions, and Suveys as well as Comments about each. Members of your Metrics Community (e.g. a Company or a group of trusted Companies) can edit these definitions to create new versions, make comments, or assign rataings for your review. When consensus has been achieved, a new version of the metric and its associated Datasets and Dimensions can be published and marked as such in the Catalog. Full version control, search, and comment threads are provided for each Catalog object class.
The YouAreHere Benchmark allows Companies in a trusted Community to compare their performance with their peers, as measured by a collection of shared security metrics. In this second release of the MetricsCenter service, each Community Member submits metric values in the form of answers to short, simple surveys, spreadsheets, or csv files
In the case of survey-based submission, each question on the survey is associated with a detailed definition of a metric stored in the Metrics Catalog. There is a link to this metric definition for each survey question.
In the case of spreadsheet and csv based submission, users submit anonymized files via either a manual or automated push to MetricsCenter. An automated Extract Transform and Load (ETL) workflow is initiated to ingest each file into a dataset. Dataset definitions in the Catalog define many aspects of the ETL interface and mapping specifications. Datasets are linked their associated measures, dimensions, metrics and temporal values. Using this links, an automated MetricsCenter workflow can perform quantitative analysis, apply models. and generate widgets for display in a public, community, company or private dashboard.
To submit data and provision workflows, you need to be authorized as a data submitter for your participating Company. To do so, you can contact your MetricsCenter Administrator or us for more details.
MetricsCenter provides several Dashboards that display analyzed metric results: Public, Community, and Company Dashboards.
Public Dashboards are available to any visitor to MetricsCenter. Public Dashboards display metric results computed from public sources such as the Open Software Foundation, the National Vulnerabilities Database, and other sources.
Private Dashboards are designed for trusted Communities of Companies or individual Companies. Community Dashboards provide benchmarking results based upon anonymized contributions of data from multiple Companies. Company Dashboards display metric results that are private to a single Company. The Community and Company Dashboards are available only to subscribers to the MetricsCenter service.
There are many very useful publications about information security metrics in books, articles, and web content. This MetricsCenter service offers a growing collection of these resources to assist you and your business in keeping up with the state of the art and science of security metrics.
Back to top.