Professional Documents
Culture Documents
Disgruntlement mitigation. Percentage of the time when managers and HR are
aware of allegations of an unfair or hostile work environment (bully bosses,
coercion, sexual or racial harassment, etc.) that they take positive actions, and do
not retaliate against the alleged victims. While disgruntlement is only one of many
motivators for inside attacks, it is one of the easiest to counter. A related metric is
the number of times that the organizations grievance and employee assistance
programs are used. They will only be used frequently if employees view them as
safe, effective, and legitimate. Perception is everything.
Employee turnover rates for both security and non-security personnel. This is
closely related to the insider threat.
Frequency of formal and informal communication between security personnel
(including low-level personnel) and non-security employees and contractors.
Security by walking around is an effective strategy.
Resiliency preparation. Prevention is difficult. A good security program needs to
be ready in advance to lead recovery after a serious security incident, including
tampering, hacking, and counterfeiting.
Amount of What Ifs? How often do employees and security personnel mentally
or physically rehearse possible security incidents, and how often are novel incidents
considered? Even wildly implausible scenarios get people thinking creatively about
security!
Frequency of formal and informal vulnerability assessments, number of
ongoing vulnerabilities and potential countermeasures identified, and number of
suggestions for security improvements, including from low-level personnel and
non-security employees. (It is important to realize that vulnerability assessments
are not the same thing as threat assessments, security surveys, performance testing,
Red Teaming, pen(etration) testing, or compliance auditingthough these things
are worth doing and can shed some light on vulnerabilities.)
Number of security changes recently introduced. This leads us to the idea of
Marginal Analysis. (In mathematics and economics, marginal means rate of
change.)
Now securing even a medium-sized enterprise or facility is a very complex minimization
problem. Risk needs to be minimized while considering hundreds of different security
parameters (variables) involving security personnel, technologies, spatial and temporal
deployment of resources, possible security strategies, assets to be protected, threats,
vulnerabilities, training, etc. This is very much like a classic minimization problem in N-
dimensional space, where N is quite large.
Figure 1 - Risk as a function of two security parameters. Traveling down hill to a valley
(minimum) in the risk surface allows us to find the optimum settings for the 2 parameters.
We can conclude that we have pretty good security if no changes significantly lower the
risk. This may be more practical than an absolute determination of security effectiveness.
Somewhat counter-intuitively, the changes in your security should involve variations in
more than just 1 parameter at a time. The changes will usually be minor. Every once in a
while, however, it is important to consider large changes. This is because you may
currently be in a local valley in the risk surface. There might be a lower valley over the next
hill or mountain, and a large change could allow you to locate this lower risk. (It is,
however, important not to let the best be the enemy of the good. Often a good security
solution is acceptable rather than demanding the absolute best, i.e., the absolute lowest
valley.)
Now the risk surface in figure 1 is constantly morphing and fluctuating over time with
changes in threats, assets, personnel, technologies, etc. So this process of introducing
changes to see if the risk gets lowered is ongoing and not a one-time activity. It is also