free html site creator
  • RISK METRICS - measuring the risk dynamics taking place across your environment to gain meaningful insights and actionable results.

A key goal of my consultancy is to provide you with data that are genuinely useful. Recently, I had one client describe their existing IT security metrics as ‘coffee table metrics’, meaning the results looked pretty but they didn’t really tell him very much that was useful. What I gave him was a new set of metrics that ‘took the temperature’ of the risk dynamics occurring at multiple places within his IT estate. This let him see what his main risk issues were and gave him the understanding and measurements he needed to deal with those.

Drawing on my scientific training, I can design security risk metrics that will show you what is really going on within your environment.


Metrics that expose not just how much threat activity you are facing but the extent to which that activity is capable of causing you harm.

Metrics that expose not just how extensively a control has been implemented but its effectiveness at interceding in the progress of the threat and limiting the harm that threat can cause.


Metrics that show how much harm each threat is causing, and where to focus your effort to achieve the greatest effect.

As I have done for others, I can design for you a set of security metrics that will tell you what is going on within your IT estate, from an actionable risk perspective, and as broadly or as deeply as you might like.  Some thoughts to help:

  • For most organisations, executive management wants its security discussions and activities to be driven by an understanding and assessments of the risks. Many security technicians think in terms of attacks and vulnerabilities, and feel that risk is the difficult end of the security space to deal with, but for executive management risk is the language they talk and it is in risk assessments that they want their organisation’s security activities to be rooted.
  • People understand that most risk assessments are fundamentally subjective, and that objectivity requires data. Often, people anticipate that gathering meaningful data requires an enormous amount of effort. But it doesn't have to. Think about it like climbing a ladder. Even your initial efforts climbing the first few rungs will give you improved visibility of your threat and risk landscape.  And each additional step up the ladder gives you a better view and helps you improve your risk management practices. The benefits, even in the early stages, readily justify the effort.
  • Gathering and using data to improve practices is commonplace in other walks of life. Whether it is economists measuring aspects of the macro economy to understand the effects of fiscal controls, bridge engineers gathering data about bridge failures to understand how to build safer bridges, or Quality Managers gathering data about the products produced to ensure better product quality, people have developed the data gathering systems they need to enable their processes and practices to be improved. People do this because the results bring sufficient value to justify the effort. The same holds true in the security space. Build the right data gathering systems and you will be able to improve your security practices.
  • Data gathering doesn't need to be exhaustive. Measurements need to be only as detailed as is required to support the risk management decision that is to be made.  Yes, it cannot be disputed that the more accurate and precise the input data, and the more exacting the analysis, the more accurate and precise the output results will be. However, this does not mean that data gathering needs to be done to the nth degree. If current decisions are based on subjective and relative inputs, then even moderately precise data and sound (but not exacting) analysis will represent a significant step forward.

If you would like to know what data to collect and how to get meaningful risk-relevant insights, then please get in touch using the contact details at the top of this page.

© Copyright 2018 JLIS Ltd - All Rights Reserved