How to Measure Anything in Security

To Risk or Not to Risk is the title of an earlier article from The Security Minute that discusses how risk acceptance decisions are unknowingly made, when security proposals include only cost or other factors but not risk factors.

A number of readers and colleagues have asserted to me that many aspects of risk are too difficult or too time-consuming to measure, and that’s why security proposals rarely  include the intended “before” and “after” risk picture. I have similarly been told  that metrics programs are not worth all the trouble it takes to implement and maintain them. Yet I know that is far from the case, as there are practitioners who have done an excellent job with security  risk metrics.

The Challenge of Measurement

The challenge of measurement is a topic that will be taken up in several articles starting with this one. Misconceptions relating to risk metrics stem from a misunderstanding about what constitutes measurement intended to support business decisions, whether we’re talking about security risk or other business risk.

Anything can be measured. If a thing can be observed in any way at all, it lends itself to some type of measurement method. No matter how “fuzzy” the measurement is, it’s still a measurement if it tells you more than you knew before. And those very things most likely to be seen as immeasurable are, virtually always, solved by relatively simple measurement methods.
—Douglas W. Hubbard

The Presumption of Immeasurability

In my opinion, nothing undermines the establishment of a sound security program more than the  presumption (by security practitioners as well as business managers) that many security benefits are “soft”, cannot be measured, and thus are of no real value. Just last week I reviewed a proposal intended to gain executive support for a multi-million dollar enterprise security initiative, which stated that the main benefits were “soft” and so would not be presented for consideration. (I see many proposals that contain such statements and omissions, so I’m not singling out any particular person or company.)

If you can’t explain what the main business benefits are for your proposed initiative, how in the world can a senior executive approve the initiative and provide executive-level support? Think about it. In this circumstance a sound senior-level decision would require the senior executive to know more about your field of expertise and responsibility than you do. That’s not a good recipe for job security or for effectively improving security!

How do you effectively measure business  intangibles? That is the $64,000 question. Public opinion and business reputation are intangibles. But stocks and fortunes can rise and fall on the change of state of those intangibles. Thus business intangibles can have some very tangible real world impacts. And so observable and measurable effects are definitely a part of that picture.

The $30 Answer to the $64,000 Question

I know a guy who for less than $30 will tell you all you need to know about measuring intangibles. The bad news is that there is a catch to it. You get facts, advice, proof, lessons and examples. But you have to do your own thinking about how to apply this to your particular organization. It won’t be super-easy, but the good news is that it will be much easier than you think. A 2,000 year old story illustrates how seemingly impossible measurements can be very possible and very doable.

How an Ancient Greek Measured the Size of the Earth

I would say that this story should put all “metrics” and “soft benefits” naysayers to shame—except for the fact that the most important aspect of measuring business intangibles has been a well-hidden secret, even to business and risk experts. Here is the secret: Measurements only have to be good enough, and certain enough, to support a sound business decision. The surprising fact is that most of the time the needed decision-supporting data is easily obtainable, if not already obvious.

About 2,200 years ago an ancient Greek named Eratosthenes calculated the circumference of the Earth without leaving his hometown in Alexandria, Egypt. He didn’t use accurate survey equipment and of course didn’t have laser insturments or satellite GPS tools. He also didn’t try the method that most learned people at the time would have thought necessary: to circumnavigate the Earth, a risky lifetime endeavor 2,000 years ago. If these circumstances don’t all cry out “too hard to measure” I don’t know what does!

While in the Library of Alexandria he read that a certain deep well in Syene, a city in Southern Egypt, would have its bottom entirely lit by the noon sun one day each year. This meant, of course, that the sun must be directly overhead at that point in time. But he also observed that at that same moment, vertical objects in Alexandria received sunlight at a slightly different angle. Eratosthenes recognized that he could use this information to assess the curvature of the Earth. And he did so to an accuracy of 3% (see Footnote 1). In fact a more accurate measurement would not be made (although attempted many times) until 300 years after Columbus arrived at America.

The point is that a 3% accuracy on that piece of information was more than sufficient to clarify business and government decision factors at the time. As in many decision situations, we only need enough certainty and clarity to decide.

What Are We Measuring?

Douglas Hubbard describes a three step clarification chain that can bring us from thinking of something as an intangible, to thinking of it in measurable ways.

Clarification Chain

1. If it matters at all, it is detectable/observable.

2. If it is detectable, it can be detected as an amount (or a range of possible amounts).

3. If it can be detected as a range of possible amounts, it can be measured.

The clarification chain, along with other material in this article, is taken from Hubbard’s book, How to Measure Anything: Finding the Value of “Intangibles in Business”, second edition. This is the (less than) $30 answer that I mentioned above.

We Have More Data Than We Think We Do

When it comes to making measurements to support decisions, almost always it turns out that we have more data than we think we do. The challenge is to determine what “good enough” means for any particular decision. As Warren Buffet has said, “It is better to be approximately right than to be precisely wrong.”

Furthermore, just about anyone can develop an intuitive approach to measurement, according to Hubbard. A fair amount of the work is overcoming our own and others’ misconceptions. The book contains plenty of business case study examples of what to do and what not to do.

It turns out that the multi-million dollar security proposals that avoid obvious benefits because they are “too hard to measure”, are in a category of analysis avoidance that Hubbard calls the Risk Paradox.

Risk Paradox

If an organization uses quantitative risk analysis at all, it is usually for routine operational decisions. The largest, most risky decisions get the least amount of proper risk analysis.

Yet it turns out that there is nothing “immeasurable” about big decisions.

Increase Your Business Value

The job of security is to reduce security risks to acceptable levels, at an acceptable cost. What is an acceptable level of risk? What is an acceptable cost to achieve it? These are business decisions. Thus it is the role of security and risk management practitioners to enable senior and middle management to make risk decisions by providing them with the parts of the risk picture that relate to their decisions, with some “before” and “after” comparisons.

Increasing your value to your organization, with regard to supporting the “hard” business decisions, just may be easier than you think. Along that line I’ll leave you with one final thought from the book, with the bold and italic emphasis added by me. You will have to read these points slowly and carefully, as I’m presenting the ideas out of their original context in the book.

A Common Measurement Myth

Myth: When you have a lot of uncertainty, you need a lot of data to tell you something useful.

Fact: If you have a lot of uncertainty now, you don’t need much data to reduce uncertainty significantly. When you have a lot of certainty already, then you need a lot of data to reduce uncertainty significantly.

So get the book, do your homework, and become more powerful as a business decision enabler.

Best regards,
Ray Bernard


Footnote 1: M. Lial and C. Miller, Trigonometry, 3rd ed. (Chicago: Scott, Foresman, 1988).

Leave a Reply

Your email address will not be published. Required fields are marked *