Advantages of BSc Adoption for Information Security

By Sam Miller

Information Security is an integral part of any IT system that should not be overlooked. However, sometimes it can be rather difficult to justify the budget spent on this IT component. In order to estimate the value of the security control methods executives traditionally use ROI (Return on Investment) and ROSI (Return on Security Investment) frameworks. However, these systems don't always reflect the actual efficiency of the security means. Because of the varying degrees of ROI and ROSI success many organizations opt for the Balanced Scorecard approach for their IT security performance evaluation. In this brief post we are going to define the basic principles of the BSc evaluation framework, as well as give examples of the Information Security key performance indicators.

Scorecard in Brief

Balanced business evaluation framework has been around for about 15 years. It was initially introduced in 1992 as a way to demonstrate the implementation of non-material, intangible business goals. Ever since the first publication, the framework has become tremendously popular with organizations of different nature: military units, schools, manufacturing, and non-profit companies. This business strategy evaluation system gives a holistic picture of the company's well-being from four viewpoints or Perspectives (three non-financial, and one financial). Such a scorecard helps answer the most crucial questions of any business entity:

What do our customers think about us? - Customer Perspective.

What are the underlying drivers of our success? - Internal Processes Perspective.

Do we work on improvement of our product? - Learning and Growth Perspective.

What do our shareholders think about our financial health? - Financial Perspective.

The presence of different perspectives allows business owners not only evaluate their company's performance, but identify the aspects that influence on the firm's success the most.

Balanced Scorecard in Information Security

In fact, the BSc approach to Information Security evaluation serves as a bridge between employees and senior executives, since it can represent complicated IT data in a way that is comprehensible by people who has nothing to do with Information Technology. Moreover, this framework can encompass and monetize aspects which seem to be intangible at first sight. This is where key performance indicators come into play.

Identifying Key Performance Indicators for Information Security

These measures make the core of any strategy evaluation system. Creating metrics for Information Technology needs doesn't have to be daunting. Information Security consists of the following levels: Information Availability, Information Integrity, Information Authenticity, and Personnel Protection (this level is often argued). Thus, when you have these categories in your evaluating system, you can measure the number of failure events for each level. By doing this you will create measurable entities for your business evaluation framework.

However, identifying the right KPIs is only half the battle. Another half is creating an effective system of data mining. Without gathering actual information on each KPI it is impossible to get a holistic picture of your business entity operation. The number of metrics should not be great. Too much metrics result in numerous reports and application forms for your employees, and these can be very distractive.

Please, have a look at IT security KPI metrics at our site. Make your company stable and protected.

Article Source: http://EzineArticles.com/?expert=Sam_Miller