We're going to move on to Section 15. It's a fundamental principle of all kinds of management, whether business or technological, that if you can't measure it, you can't manage it. The question we're going to explore in this next section centers on this very principle, and the best way of how we can go about deciding how to manage it in a cybersecurity sense.

So in this section, we are going to discuss the questions regarding metrics, indicators, and how best to choose because these metrics are going to be used to provide intelligence value.

We begin with the basic question what metrics do we have and which ones matter most? There are many metrics to choose from in the world of cybersecurity, but the question really boils down to which ones are the best to have as far as telling us information we need to know that becomes actionable intelligence? Program performance requirements that we measure things to ensure that our goals are being met, the timelines are being set and attained, and that budgets are not being overrun. The only way to do this effectively, of course, is through the use of metrics. Their identification, their sourcing, and their application to answering business questions and solving business problems.

There are, of course, several hundred, if not thousands of metrics that we could choose from. Therefore we must choose our metrics with prudence and with care because these are going to provide information to inform our decisions. Some of these metrics are vital, even urgent. And what they tell us, some are interesting and supportive of other metrics. However, some metrics are of little value, in fact, and in fact function as distractions.

The importance here is we must distinguish between these, the ones that are of true value and the ones that are merely entertaining or distracting. On this slide of 12 different metrics, which may be metrics that you yourself are interested. These 12 are, of course, but very few of the total number of metrics that we could have.

So the question also arises how do we characterize the metrics that we want and what do they actually tell us? One type of metric is called a KGI, or key goal indicator. KGIs are indicators when a process has achieved its goal. An example would be to achieve compliance with law, and an indicator would illustrate how close or how far away from that point we are.

The second type of metric is called a CSF, or critical success factor. This type indicates an element or an event that must occur to achieve the key goal indicator. An example of this one might be the passage of a safety inspection prior to the launching of a rocket to which those engines are attached.

The third type is a key performance indicator, or KPI. These tell us how well a process is performing relative to its goal. An example of this might be what percentage of onboard computers installed on a rocket, as compared to how many are supposed to be installed when the task is completed.

For our purposes, a very important key risk indicator, called a KRI. These indicators tell us about behaviors, activities, or events that are accompanied by an increase in risk. An example of this might be a number of failed tests on various components that have occurred during the week.

If the number of failures increases, then the key risk indicator shows that the risk is increasing, whereas a drop in failures indicates that the risks are dropping. So, as I said, we must choose prudently the various metrics we are going to use to inform us about how our program is progressing and that we must exercise caution in the selection of metrics to give us these indications so that our vision is not clouded by distractions.

We now move into Section 16 for discussion of technologies that we will employ in our programs. In these common security related technologies, some of these will be negatives or even hostile things that we have to protect against, while others will be the tools to use to protect against them.

We first have adware. This is unwanted software that displays advertisements and can in fact mask more hostile implantations of code into our systems. Then we have several tools that act as defense mechanisms against the various hostile elements that seek to compromise our systems. These include the list that you see on the slide, beginning with anti-spam device, antivirus or anti-malware as we call it these days, a firewall, which serves as a packet filter to control traffic, a gateway, which serves as a way of joining two network segments together and possibly filtering the traffic bi-directionally, IDS and IPS for intrusion detection and prevention devices.

Next, we have our standard network or internet protocols, which you see there. And the one-way hash, which is a cryptographic function typically used as a fingerprint to assure us that the item that it is attached to has not been tampered with in any way. The command and control function is a central command point from which many of these activities or devices may be controlled or directed. This set of things and actions forms very much the heart of our overall security program. 

Moving on to the second slide, we see that we have PKI, which is a hybrid encryption system that handles our public key encryption as well as aspects of our symmetric encryption. We have the router that serves as a traffic cop, so to speak, on our network. 

We have spyware, which is a form of software that watches user behaviors and reports back to its main operator. Virtualization is a common tool that enables expansion of various computer-based resources and serves as the heart of technology, so to speak, of cloud computing. 

We have the converge technology of voiceover IP that converts circuit-type traffic of traditional voice to packetized traffic, similar to the data type that we do now. Wireless security, which uses network protocols, such as WPA2, that encrypts traffic flowing over the air to ensure that will be as secure as the traffic is flowing through the wire.