How would you measure security? Is security measurable ?

Your Public Answer:
“Hi ..., I have been answering this question for the last 10 years. Against the public infomercials, security is not priceless and security can be measured. There are several approaches, but I strongly recommend a version that is well defined and quantifiable. This method leads to risk based information security measurement. The idea is very simple, you know your assets and their value for your operation, calculate all threats, vulnerabilities and risks based on your business operations and safeguards. Assigning some metrics to your risk level will help you to measure your security level. When measuring information security you need solids metrics. Defining metrics is a tricky process. First you need clearly defined processes that can be measured Then you need to define the method for measurement Defining frequency of measurement, data collection, analysis and reporting follow these basic steps. I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Each ISMS control comes with an objective, so that you can measure the effectiviness of each objective. If you Google the keywords above, you will get plenty of information. Let me know if you have any specific questions, Regards, - yinal ozkan”