Necessary measures - Metric-driven information security risk assessment and decision making

Measurable, reliable real-world metrics are being used to improve information security decision making. Management is identifying and understanding the threats facing the organization to be able to take systematic action to reduce risk. Various taxonomies using a variety of techniques have been proposed to classify and systematize threats to information security. Security initiatives are more commonly driven by compliance mandates than by the principles of risk management. A more reasoned approach to measure and model security factors, including carefully delineating threats, gathering impact and financial loss data, and calculating reduced vulnerability through countermeasures, is required. Improved analysis and decision making should be expected to follow after taking these necessary measures.