Metrics for measuring security

There are a large number of metrics that security people use to compare and comply with security in a business.   Most of the metrics are hard for normal business and people to understand let alone know what they are measuring.

To make sure that your small or medium business and not for profit organisation is doing the right thing here are some basic metrics that can be applied to your organisation.   They will show you, as a manager or owner, where your business is placed and at what level of security your business is protected at.

Same as the mean

Most businesses spend about 7% of their IT budget on security.  If your business is spending only 3% then it could mean that you are underspending on the security infrastructure of your organisation.

We often get comments that security is similar to the Y2K scare, all hype. Today’s world of connected businesses, social media and the proliferation of tablets and mobile phones makes your business vulnerable just by being in business.   To spend less on your security infrastructure is a indication that maybe you do not understand the electronic risks involved in today’s business world.


If your organisation is applying software and application updates and security patches in a timely way then you are in a good position.   There is not much defence against zero day exploits but by applying patches in a timely manner you have a better chance of not being compromised.

By applying patches to your business systems is an indication of your security readiness.   The lead time between patch release and installation is a quick security metric for any business.


For most small businesses a standard operating environment (SOE) is out of their reach but the more of them are trying to achieve that level of standardisation.   When all,of your workstations, laptops, tablets, phones and servers are all the same hardware and software, the easier they are to manage.

An SOE makes the additional pressure of patching a lot simpler.   One image for each system can be created which allows for quicker maintenance, management and monitoring within the business.


The faster your business becomes compliant with government or industrial regulations the easier it is to properly measure your business security.  Compliance is a culture change and only comes about from the top down.   If management is pushing for more compliance, to not only protect themselves but protect their staff, then this will be understood by all concerned.

Getting your business to a compliant level can be difficult and would be a component of your IT security budget spend, but in the long run it is well worth it as it protects the business, management, staff and customers.

Track your cowboys

IT is full of them.   Technicians who don’t like rules, who always step outside business requirements, who do things the easy way not the right way, or who install unauthorised systems on the network.   These are todays cowboys.   They don’t like rules and do not want to or care about the business compliance issues and only do things that suit them or is bleeding edge shiny technology.

These people can easily endanger your business security by installing rouge wireless points, installing systems that do not comply with your  business requirements and changing permissions and access because it is easier than making those systems more secure.

So there you have it, 5 metrics that you can use to do a quick measure of your business security.   Don’t skimp on your security budget, patch everything when it becomes available, try to standardise the IT components within your business, build compliance into your business as much as possible and keep a reign on your cowboys.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.