Using metrics provides a quantifiable way to measure the effectiveness of security programs and processes. As the popularity of metrics has increased over the past few years so has the number and type of metrics that are used to evaluate efficiencies. However, without proper vetting, metrics may not effectively evaluate the process or program that is being measured. Believe it or not, the design and application of metrics is not as easy as it seems. Metrics must be chosen carefully to ensure they measure exactly what they were intended to measure.
We can use identification and access control to demonstrate how to effectively utilize metrics when evaluating the effectiveness of a security process or program. When evaluating the effectiveness of an identification program, creating metrics begins with the evaluation of the ID program itself. Why was the program created? What is the intended target audience? Who implemented the program? What is the breakdown of processes that make up the program? For argument’s sake let’s assume that the ID program resides in a corporate headquarters and was developed by senior administration in order to identify outsiders (persons that visit the building and who are not employees). This process started after an unhappy customer came into the headquarters and was verbally abusive about his particular dissatisfaction with one of the company’s product lines.