Information security indicators

In information technology, benchmarking of computer security requires measurements for comparing both different IT systems and single IT systems in dedicated situations. The technical approach is a pre-defined catalog of security events (security incident and vulnerability) together with corresponding formula for the calculation of security indicators that are accepted and comprehensive.

Within the recent years, many companies and organizations have emphasized the importance of security indicators (ISIs). These indicators are measurable signals that can help assess, monitor, and improve the security of an organization. ISIs can translate intricate security processes, breaking them down so they can be observed easily so decision-makers can understand if their defenses are working well, if there are risks, and where they can improve.

Definition and Purpose

An industry definition states that security indicators are "values based on metrics obtained by comparing logically related attributes about the behavior of an activity, process, or control within a specified time" (Gartner). This includes the number of unpatched systems, average time to detect breaches, percentages of successful breaches, attempted attacks, and more. Indicators like these are essential because without this data and metrics there is no way to manage or measure anything. It enables organizations to move past "strong security" claims and pushes towards decisions that are backed and guided by data.

Types and Categories

Security Indicators have two main categories that they are divided into. Deployment or process indicators show whether controls are set into place like devices that run current patches or monitor whether employees/staff have completed cybersecurity trainings. Then there are outcome or effectiveness indicators measure the outcomes and performance such as the time (average) it took to detect and resolve incidents. Some frameworks also include and use risk-exposure indicators to spot potential weak points and vulnerabilities within the systems.

Frameworks and Standardization

The European Telecommunications Standards Institute (ETSI) developed some ISI work items that guide organizations in the selection of indicators, classifying events, and building the technological architectures. In the United States, the National Institute of Standards and Technology (NIST) published, "Special Publication 800-55 Rev. 1", giving guidance on how to build and maintain security measurement systems for the best optimization and protection. These indicators are an integral and crucial part of cybersecurity governance, with these frameworks showing that.

Best Practices for Using Indicators

Experts recommend many different good practices for the efficiency and usefulness of these indicators. Indicators should lead to decisions instead of just describing problems, making them "actionable". Additionally, the indicators shouldn't just focus on technical issues. They should be able to align and understand the business goals. With an abundance of indicators or too much complexity, things become complicated and focus is lost, making simplicity key. Lastly, the indicators should help and allow organizations to compare different performances over time. This benchmarking system leads to better improvement and will allow comparisons to the peers as well. When all these indicators are paired and used correctly, trends could be easily tracked, decisions are justified, and security statuses are communicated clearly.

Challenges and Considerations

Using ISIs effectively to its best usage can be difficult, even with the absolute best practices. A major challenge that is often faced is ensuring that indicators are measuring the correct things. At times, organizations are measuring and tracking the metrics that are easiest to count, but not what is truly affecting them and putting risk to them. Data quality and consistency also raise problems because different organizations or people can view and interpret incidents differently. To have the best results and avoid these problems, experts advise to combine quantitative data with expert judgement that will consistently review and track metrics.

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). In 2019 the ISG ISI terminated and related standards will be maintained via the ETSI TC CYBER.

The list of Information Security Indicators belongs to the ISI framework that consists of the following eight closely linked Work Items:

1. ISI Indicators (ISI-001-1^[1] and Guide ISI-001-2^[2]): A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking)
2. ISI Event Model (ISI-002^[3]): A comprehensive security event classification model (taxonomy + representation)
3. ISI Maturity (ISI-003^[4]): Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case-by-case approach)
4. ISI Guidelines for event detection implementation (ISI-004^[5]): Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms)
5. ISI Event Stimulation (ISI-005^[6]): Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)
6. An ISI-compliant Measurement and Event Management Architecture for Cyber Security and Safety (ISI-006^[7]): This work item focuses on designing a cybersecurity language to model threat intelligence information and enable detection tools interoperability.
7. ISI Guidelines for building and operating a secured SOC (ISI-007^[8]): A set of requirements to build and operate a secured SOC (Security Operations Center) addressing technical, human and process aspects.
8. ISI Description of a whole organization-wide SIEM approach (ISI-008^[9]): A whole SIEM (CERT/SOC based) approach positioning all ISI aspects and specifications.

Preliminary work on information security indicators have been done by the French Club R2GS. The first public set of the ISI standards (security indicators list and event model) have been released in April 2013.