Part Two: Metrics, Indicators, and Technology
Part Two: Metrics, Indicators, and Technology

This next section in the CISM learning path covers a range of topics relating to information security and highlights the processes, techniques, and standards that can be used to protect your organization.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how roles and responsibilities can be used in information security
  • Learn about due care and due diligence
  • Learn the principles of cybersecurity
  • Understand how to use metrics, indicators, and security-related technology
  • Learn about the security standards and frameworks to protect organizations

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field. 



We're going to move on to Section 15. It's a fundamental principle of all kinds of management, whether business or technological, that if you can't measure it, you can't manage it. The question we're going to explore in this next section centers on this very principle, and the best way of how we can go about deciding how to manage it in a cybersecurity sense.

So in this section, we are going to discuss the questions regarding metrics, indicators, and how best to choose because these metrics are going to be used to provide intelligence value.

We begin with the basic question what metrics do we have and which ones matter most? There are many metrics to choose from in the world of cybersecurity, but the question really boils down to which ones are the best to have as far as telling us information we need to know that becomes actionable intelligence? Program performance requirements that we measure things to ensure that our goals are being met, the timelines are being set and attained, and that budgets are not being overrun. The only way to do this effectively, of course, is through the use of metrics. Their identification, their sourcing, and their application to answering business questions and solving business problems.

There are, of course, several hundred, if not thousands of metrics that we could choose from. Therefore we must choose our metrics with prudence and with care because these are going to provide information to inform our decisions. Some of these metrics are vital, even urgent. And what they tell us, some are interesting and supportive of other metrics. However, some metrics are of little value, in fact, and in fact function as distractions.

The importance here is we must distinguish between these, the ones that are of true value and the ones that are merely entertaining or distracting. On this slide of 12 different metrics, which may be metrics that you yourself are interested. These 12 are, of course, but very few of the total number of metrics that we could have.

So the question also arises how do we characterize the metrics that we want and what do they actually tell us? One type of metric is called a KGI, or key goal indicator. KGIs are indicators when a process has achieved its goal. An example would be to achieve compliance with law, and an indicator would illustrate how close or how far away from that point we are.

The second type of metric is called a CSF, or critical success factor. This type indicates an element or an event that must occur to achieve the key goal indicator. An example of this one might be the passage of a safety inspection prior to the launching of a rocket to which those engines are attached.

The third type is a key performance indicator, or KPI. These tell us how well a process is performing relative to its goal. An example of this might be what percentage of onboard computers installed on a rocket, as compared to how many are supposed to be installed when the task is completed.

For our purposes, a very important key risk indicator, called a KRI. These indicators tell us about behaviors, activities, or events that are accompanied by an increase in risk. An example of this might be a number of failed tests on various components that have occurred during the week.

If the number of failures increases, then the key risk indicator shows that the risk is increasing, whereas a drop in failures indicates that the risks are dropping. So, as I said, we must choose prudently the various metrics we are going to use to inform us about how our program is progressing and that we must exercise caution in the selection of metrics to give us these indications so that our vision is not clouded by distractions.

We now move into Section 16 for discussion of technologies that we will employ in our programs. In these common security related technologies, some of these will be negatives or even hostile things that we have to protect against, while others will be the tools to use to protect against them.

We first have adware. This is unwanted software that displays advertisements and can in fact mask more hostile implantations of code into our systems. Then we have several tools that act as defense mechanisms against the various hostile elements that seek to compromise our systems. These include the list that you see on the slide, beginning with anti-spam device, antivirus or anti-malware as we call it these days, a firewall, which serves as a packet filter to control traffic, a gateway, which serves as a way of joining two network segments together and possibly filtering the traffic bi-directionally, IDS and IPS for intrusion detection and prevention devices.

Next, we have our standard network or internet protocols, which you see there. And the one-way hash, which is a cryptographic function typically used as a fingerprint to assure us that the item that it is attached to has not been tampered with in any way. The command and control function is a central command point from which many of these activities or devices may be controlled or directed. This set of things and actions forms very much the heart of our overall security program. 

Moving on to the second slide, we see that we have PKI, which is a hybrid encryption system that handles our public key encryption as well as aspects of our symmetric encryption. We have the router that serves as a traffic cop, so to speak, on our network. 

We have spyware, which is a form of software that watches user behaviors and reports back to its main operator. Virtualization is a common tool that enables expansion of various computer-based resources and serves as the heart of technology, so to speak, of cloud computing. 

We have the converge technology of voiceover IP that converts circuit-type traffic of traditional voice to packetized traffic, similar to the data type that we do now. Wireless security, which uses network protocols, such as WPA2, that encrypts traffic flowing over the air to ensure that will be as secure as the traffic is flowing through the wire.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.