Information Technology Reference
In-Depth Information
Chapter 4
iA Quantiication
4.1 introduction
There is an increasing need to show the business value of information assurance
with hard, objective measurements that directly align to performance, revenue, and
cost management. The act of measurement requires something to measure. The IA
quantification framework (IAQF) provides guidance on where to look for oppor-
tunities to quantify IA or to find parameters to measure that represent IA, and a
way to look at IA quantification from different perspectives. The IA quantification
process (IAQP) provides a method to determine metrics and measures for IA that
provide an objective view of the enterprise security posture and can establish an
objective quantified baseline from which to trend the performance of IA services
and IA mechanisms.
A
metric
is a standard of measure; a
measure
is an amount. An American foot-
ball field is 100 yards long; the measure is 100, the metric is yards. There are 100
centimeters in 1 meter; 1 and 100 are measures, and meter and centimeter are
metrics. What are the metrics and measures of information assurance? What do
they mean?
Good metrics are measurable, collectible, usable, and meaningful. A metric is no
good if it is not measurable, there must be a value. A metric is no good if it is not col-
lectible, you must be able to obtain the measure. A metric is no good if it is not usable.
The measure must fit into calculations in a manner that provides useful results. A
metric is no good if it does not have meaning to the organization. A good metric must
relate to business drivers, strategic objectives, or otherwise to the mission.
69
