Information Technology Reference
In-Depth Information
The IAQP (Figure 4.2) starts with
a narrative of the business scenario
that includes desired state of operation,
capability, or behavior. The narrative
also includes potential and probable
risks in business terms, and the IA
services and IA mechanisms that will
address the risks. Analysis of the nar-
rative attempts to identify parameters
that represent relevant points with
respect to business objectives, risk,
and risk mitigation. With that set of
parameters, consider what about them
is measurable and in what terms (in what metrics). The IAQP then prompts you
to articulate how to obtain the measures, analyze the measures, and report the
measures within the organization.
The following sections describe each step in the IAQP to determine the appro-
priate metrics and measures for your organization.
IA Quantification Process
Narrative
Parameters
Quantification
Discovery
Analysis
Report
Feedback
Figure 4.2
iA quantification process.
4.4.1
Narrative
The IA quantification process provides guidance for determining how to quantify a
particular scenario. The first step is to provide a narrative describing that scenario.
Define the problem, define the intent (see IA
2
Process), and define the objective in
business, technical, and IA terms. Articulate the scenario to capture the business
objectives, the risks, and the intent of IA. Do not initially attempt to state what you
may quantify. Later IAQP steps will identify what you may quantify, how to obtain
the measures, and how to use them.
4.4.2
Parameters
Review the narrative using the Reality Check Framework (who, what, why, when,
where, and how). Identify the entities, actors, and actions. Question each of these
in terms of what may be quantified. Find and note any inherent metrics or mea-
sures, a way to count them, or a way to superimpose artificial metrics. Potential
parameters include a quantity (the number of ), e.g., the number of firewalls, the
number of security incidents. Another parameter may be a dollar figure such as
cost of IA or ROI for IA. Another parameter may be a compliance level, i.e., cur-
rent security posture contains X features as compared to a baseline standard of Y
features, therefore, X/Y = % compliance level.
