Overview of IT Security Services' Metrics Development

Contents

The Metrics Framework table below organizes the current list of ITSS metrics into a quasi-balanced scorecard format that is consistent across the areas in CSS.   Columns in the table are individual lines of business, usually headed by a Team Leader.  A second piece of the framework is a sub-section on metrics definitions and further documentation if needed about how they are produced. 

The actual values for these metrics are shown in a series of tables in the next section, where we present up to five quarters of data if it is available. 

.

Metrics Framework

In the table below, the left column marks off the "balanced scorecard" quadrants in our metrics framework.  Adjacent columns list by "line of business" the current roster of existing or potential metrics.  The metrics are in various states of development --
- bold face indicates "operational" metrics, with a defined means of production, and a historical record;
- normal face are for "possible" metrics, that aren't well established now but could be with a small development effort using existing systems;
- italic face  shows "prospective" metrics, desirable metrics that don't now have a path to becoming established.

New metrics ideas can be introduced at any time.  Continuous improvement efforts seek to move prospective metrics to possible, and possible to operational, within the normal operations of the teams involved.

Metrics Quadrant

DMCA

Net-Security

Stopit

Info-Protect

Client Satisfaction or
Programmatic Outcomes

Type of Risk Exposure averted

Type of Risk Exposure averted

Type of Risk Exposure Averted

# of days since a major spill?

Resource Utilization
... of Team Services
(market penetration)
(utilization of the team by MIT)
(client uptake)
(event demographics)

DMCA tickets 


Net-Security tickets 

StopIT tickets 

# of info-protect incidents

ratio of types of exposure (SSN, credit card #s, accounts and passwords, etc.)

typical size of exposures (n of records, etc.)

Ratio of finding types (no breach, breach + notification, etc.)ratio of Attack types (malware, password sniffer, bank account sniffer, social engineering, etc.)

Resource Utilization
... of Tools and Resources

Ratio of Incidents to agents?

Ratio of Incidents to agents?

Ratio of Incidents to agents?

Level of effort per incident?

Process Performance

Avg Backlog

Avg Time to Resolve

Avg Backlog

Avg Time to Resolve

Avg Backlog

Avg Time to Resolve

Backlog

Avg Time to Resolve

Finances


 

 

 

Definitions and Means of Production

The ITSS Metrics Definitions page holds a table listing metrics we have in some detail, and identifying measures we'd like to build. 

Five (or more) Quarters of Measures Presentation

Loading

{viewdoc:name=ITSS metrics.doc}

Team Leaders upload fresh versions of their metrics documents here.

  File Modified
Microsoft Excel Sheet ITSS metrics.xls Jul 06, 2010 15:44 by Robert W Smyser
  • No labels