Traditional operational security metrics such as number of machines patched, vulnerability scan results, number of incidents, and number of staff trained are easy to collect and can be useful. However, if your objectives are to inform decisions, affect behavior, and determine control effectiveness in support of business objectives, you'll need to consider a set of more strategic resilience measures. This presentation suggests 10 such measures and a means for deriving them.
Allen is a principal researcher within the CERT Program at the SEI. Allen's areas of interest include operational resilience, software security and assurance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. She earned a bachelor's degree in computer Science from the University of Michigan and a master's degree in electrical engineering from the University of Southern California. Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2011).