Information Technology Reference
In-Depth Information
4.4.3
Quantiication
The objective of the quantification step is to determine the metrics and measures
for each parameter. Inherent metrics and measures should have been identified
by the narrative. If not inherent, look for established metrics and measures (e.g.,
SLAs, uptime objective, or MTBF). If a parameter is important and there are no
intrinsic or established parameters, find something about it to measure or impose
an artificial system.
Consider whether the parameters provide metrics and measures that correlate
to recognized industry benchmarks. If there is no comparison to industry bench-
marks, are the parameters quantifiable in such a manner that the results may
show internal consistency and provide business value through relative compari-
sons? Compliance levels fall into this latter category. Compliance has no intrinsic
value; however, determining a measure of compliance is possible by superimposing
an artificial measure using the features of the compliance requirements that exist
within the organization.
When applying the IAQP, consider the following list of questions with respect
to the IA parameters and measuring these parameters. The list is exemplary of the
types of questions to think of during brainstorming and development of a quanti-
fication model.
n
Is the value something it has intrinsically, or is the value an artificial metric
and measure?
Is the appropriate value to measure something it does not have?
Measure the absence of X to prove security, and conversely, the presence
of X points to insecurity.
Is the value to measure something it gains (growth)/does not gain (stasis)?
Maintain secure operations through a predictable gain of X within Y,
where Y
∈
[system | log | network | other].
Maintain secure operations through a steady state of X within Y, where
Y
∈
[system | log | network | other]; a gain of X implies tendency toward
mission entropy.
Is the value to measure something it loses (loss)/does not lose (stasis)?
Secure operations is compromised through loss of X.
Does not lose (conservancy principle)
Are metrics static or dynamic?
Not the value of the parameter, but those parameters measured; do they
change under certain circumstances?
For example, parameters measured are relative to DHS alert level;
higher alert level implies an increase in the number of parameters to
measure.
n
−
n
−
−
n
−
−
n
−
n
Department of Homeland Security.
