Using metrics provides a quantifiable way to measure the effectiveness of security programs and processes. As the popularity of metrics has increased over the past few years so has the number and type of metrics that are used to evaluate efficiencies. However, without proper vetting, metrics may not effectively evaluate the process or program that is being measured. Believe it or not, the design and application of metrics is not as easy as it seems. Metrics must be chosen carefully to ensure they measure exactly what they were intended to measure.
We can use identification and access control to demonstrate how to effectively utilize metrics when evaluating the effectiveness of a security process or program. When evaluating the effectiveness of an identification program, creating metrics begins with the evaluation of the ID program itself. Why was the program created? What is the intended target audience? Who implemented the program? What is the breakdown of processes that make up the program? For argument’s sake let’s assume that the ID program resides in a corporate headquarters and was developed by senior administration in order to identify outsiders (persons that visit the building and who are not employees). This process started after an unhappy customer came into the headquarters and was verbally abusive about his particular dissatisfaction with one of the company’s product lines.
Knowing the history of the program is important to the creation of metrics. In this case, it is important to understand why employees had to be issued ID cards and the purpose of the ID cards.
Since the identification badge was not implemented as a tool to authenticate an individual’s identity, only to determine if they are an employee versus a visitor, metrics should be designed around compliance in wearing the badge and issuing a badge.
The metrics for this ID program could include:
- Tracking ID compliance at the entrances since employees are required to present their ID cards at entry.
- Proper display of the ID card when the ID is presented when entering the building. It could measure data on whether the ID card can be seen when the employee enters the building.
- Because employees are required to wear ID cards, making it easier for the employee to obtain and wear the card may be a good metric. An employee survey could be utilized to determine employee opinion on the program and ask for suggestions for improvement.
These examples demonstrate metrics that evaluate the ID program based upon the program’s objectives and goals — based upon the rational and purpose of the program.
Using program or process objectives is not the only way to develop effective metrics, though. Metrics development can be accomplished through general data collection. For example, access control can be a door with a magnetic lock and card reader, it can be a security officer standing at an entrance or it can be a password or firewall that pre-selects persons for access. Either way, data can be collected on the specific processes that make up the access control program or process. Using the example of a security officer standing at an entrance, data collection can be developed when the officer’s job functions or job processes are reviewed and broken down into simple tasks. Where the security officer stands, what the officer says, how many people he stops or lets through, how many people sign the visitor logbook and the legibility of the logbook are all basic tasks that the officer may go through when standing and screening persons entering the building. Data collection could include:
- Number of minutes or hours the officer is present at the entrance compared to the assigned hours.
- Number of times the officer is standing at the spot required, or not standing at the spot.
- How many times the officer verbally greets persons entering the building, or does not greet persons.
- The number of persons that are stopped at the entrance compared to the number that are not.
- The number of persons that are asked for identification compared to those who are not.
- The number of employees who voluntarily showed their IDs compared to the number that did not.
All this data can be collected by tally sheets either by the officer during the course of the job or by observation of a supervisor or other person and over 30 days. Then, analyze the data to determine what story it tells. The data should become the permanent metrics used to evaluate that program’s effectiveness.
When selecting metrics for your particular programs and processes, remember to identify the objectives of the program and its goals. Develop metrics that will demonstrate the effectiveness of those objectives and goals. Additionally, break down the job functions of each security function to its simplest tasks. Then, utilize basic techniques to collect data on those tasks. Once gathered, analyze each data collection technique in order to determine its effectiveness in demonstrating effective performance.