This workshop focuses on how to measure the right things in order to make informed management decisions, take the appropriate actions, and change behaviors. But how do managers figure out what those right things are? Public and private organizations today often base cyber risk management decisions on fear, uncertainty, and doubt (FUD), and the latest attack. The Measuring What Matters: Security Metrics Workshop, the learner will learn how to refine a strategic or business objective that meets that S.M.A.R.T.E.R. criteria: Specific, Measurable, Achievable, Relevant, Time-bound, Evaluated, Reviewed, and can be used to initiate the Goal - Question - Indicator - Metric (GQIM) process.
- Identify a core set of business goals, based on the business objective, to which the cybersecurity risk measurement program will be applied.
- Formulate one or more key questions for each business goal, and use them to help determine the extent to which the goal is being achieved.
- Identify one or more indicators for each business goal key question.
- Identify one or more metrics for each indicator that most directly inform the answer to one or more questions.