“Risk cannot be measured” is a common scientific and mathematical phrase often applied to information security. While it is true that some risk measurements are subjective, it is naive to believe that measurements are not possible. Risk is not a number, but a measure of risk is.

For example, you can measure:

* The percentage of suppliers that meet an organization’s standards,

* A percentage level of compliance with the regulations, and

* The number of vulnerabilities present in an environment.

It is critical that credit unions identify, prioritize, and manage risk. Management and technical staff should jointly define the criteria for measuring information security performance. And these measures must clearly align with business goals and strategies.

When developing metrics, avoid technical, legal, and topical jargon. Focus on measuring the services provided. Clearly define objectives, strategies and measures. This facilitates open communication, careful planning, and financial rewards.

Here are common excuses to avoid risk measurement:

* “The management does not understand.” Information security encompasses technical and physical security issues. Ensuring confidentiality, integrity, and availability requires in-depth knowledge of technology, risk modeling, physical security, laws, and regulations. Technical complexities often make communication between management and information technology (IT) staff difficult. The challenge for IT staff: Convey complicated information simply and clearly. The challenge for management: Be willing to accept change.

* “Security measurement is for large credit unions only.” Embedding information security risk measurement into an organization’s processes takes time, persistence, and often a cultural shift. People often feel threatened, don’t like change, or have social motivations that delay the process. But credit unions of all sizes benefit from risk measurement activities. It may take time, but persistence pays off when metrics support quote requests and provide valuable ROI data.

* “Security moves too fast.” Technology continues to change at an astonishing rate. Many people feel that information security measurement cannot keep up with technological change. But the problem may actually be poorly designed measurements. The intent of the measurement is to align corporate strategies with IT. Clearly define the goals and objectives of the organization. Then measure information security against those goals and objectives.

SMART Measurements

Wise decisions require simple, measurable, achievable, repeatable and timely (SMART) information. Maintain information security risk measures:

* Easy. The purpose of each measurement must be clearly understood by all intended parties. Create a list of key performance indicators. Avoid technical, legal, and other jargon. Avoid data overload and stay focused on specific performance metrics.

* Measurable. While many facets of security and risk are difficult to quantify, focus on what can be measured, such as the number of vulnerabilities or the number of incidents.

* Achievable. Some measurements are direct results of existing reports and systems; others may require analysis to derive the value. Make sure your measurement goals are achievable over time, as they need to be continually assessed and managed at minimal cost.

* Repeatable. Since you’ll want to show trends to generate useful data, make sure the measurements are easy to take over time and can be repeated.

* Prompt. Outdated information can bias the analysis and directly impact decisions. The timeliness of data often determines its value. Make sure measurements are easy to deliver as needed. Aim for maximum automation with minimum manual activity. Establish clear communication and access rights from the start.

Your credit union can measure information security performance. Risk models, financial measures, key performance indicators, and other measures can help you align information security with organizational goals and strategies.