Security metrics is the application of quantitative, statistical, and/or mathematical analyses to measuring security functional trends and workload. In other words, tracking what each function is doing in terms of level of effort (LOE), costs, and productivity. Security metrics management is the managing of an assets protection program and related security functions through the use of metrics. It can be used where managerial tasks must be supported for such purposes as supporting the security professional’s position on budget matters, justifying the cost-effectiveness of decisions, determining the impact of downsizing on service and support to customers, etc.
Security Metrics Management is designed to provide basic guidance to security professionals so that they can measure the costs of their assets protection program - their security program - as well as its successes and failures. It includes a discussion of how to use the metrics to brief management, justify budget and use trend analyses to develop a more efficient and effective assets protection program.
- Over 100 checklists, flowcharts, and other illustrations depict examples of security metrics and how to use them
- Drawings, model processes, model procedures and forms enable the reader to immediately put concepts to use in a practical application
- Provides clear direction on how to meet new business demands on the Security Professional
Dr. Kovacich has over 40 years of security, criminal and civil investigations, anti-fraud, information warfare, and information systems security experience in both government as a special agent and as a manager in international corporations. Dr. Kovacich currently resides on an island in Washington state where he continues to write, lecture and conduct research relative to information systems security, information warfare defensive and offensive operations, high-technology crime and techno-terrorism.
Edward P. Halibozek is currently a corporate vice president of security for a Fortune 100 company headquartered in Los Angeles, California. He holds a Master of Science in Criminal Justice and an MBA in business. Mr. Halibozek is an experienced lecturer and has written and published many articles, papers, plans, policies and procedures related to corporate security.
Mr. Halibozek is the former Chairperson for the Aerospace Industries Association, Industrial Security Committee and is a member of the Board of Directors for the Chief Special Agents Association in Los Angeles California. Mr. Halibozek served for four years as an Industry member to the National Industrial Security Program Policy Advisory Committee (NISPPAC).
The Security Profession and Its Role in Supporting Business and Government Agency Assets Protection Needs
This chapter will introduce and discuss the role of security in support of the needs of corporations and government agencies in today's global environment. It is provided to set the stage for a basic foundation for security, and assets protection managed through a security metrics management program.
INTRODUCTION
The world of the security professional has changed, as have so many professions, due to the technological changes and advances that have led to the phenomena of instant and mass global communications. Today's corporations can no longer afford to think locally or even nationally. Now, they must not only think globally but also compete in the global marketplace. Sure, some can survive in their small world of local or nation-based business (within a specific niche)—for now—but even they will be positively and negatively impacted by what is referred to as the "global economy."
Security professionals have been slow to recognize or admit that this change has impacted their profession. One just has to look at the ever-expanding threat agents and their sophisticated techniques for attacking corporate assets to see that the environment in which they work has changed and will continue to change, probably faster than ever before. However, that is only one of the many issues facing the security professional.
The role of security is often viewed in a much-maligned way—even by some security professionals. Employees (and that includes management) often consider security professionals as an extension of law enforcement. They imagine the security staff operating in an enforcement role, watching them and "making" them behave in a certain way—a way not necessarily conducive to good business practices, inconvenient and not in-line with their preferences. After all, today's employees are like most people. They are not receptive to constraints, particularly when they don't understand the reasons for them or the value the constraints bring to the business.
All too often, security professionals believe it is the "job" of employees to understand them and to be automatically supportive of them and security's role to protect business assets. The security specialists may grow impatient when they don't get the support they believe they need, require or deserve. After all, don't corporate employees understand how important the security job is? The answer is, "No, they probably don't and really don't think about it very often, if at all!"
When such an attitude is present, it is up to the security professionals to win over the employees with the help and support of management. This may not be what the security professional wants to do or hear, but in order to be a successful security professional and manage a successful assets protection program for the business, that is what must be done.
Yes, justifying one's job is not as enjoyable as performing it, but one way to look at it is to consider each new supporter as one more victory in the game of gaining assets protection program support. A security metrics management program (SMMP) can help the security professional explain security decisions, policies and practices in a way that employees and management can understand and appreciate—using the business language of costs and benefits instead of security lingo.
On the brighter side, the security profession has come a long way as a profession and is no longer using (in most cases anyway) what was often termed "the guard force mentality." The perception was, and is sometimes still true, that the security staff was made up of retired law enforcement or military personnel looking for a retirement job. Most of these individuals had little concept of the business world and of dealing with executive management whose priority is profits and not "following the rules" or "patriotism" at all costs.
Even today, retired law enforcement, intelligence or security professionals are often given the opportunity to lead security organizations in business over those business security professionals who "grew up" within the business. In many cases, executive management does not understand or appreciate the talents and the job done by the security professionals within their own companies. Furthermore, the security professionals have done a rather poor job of educating corporate management as to what it takes to be a 21st century security professional—and being an ex-spy or investigator is not the same as establishing and managing a corporate assets protection program. Again, using an SMMP can help the security professional, regardless of the prior background of the individual who is responsible for assets protection.
Another problem with some security specialists is that they may even consider that the business assets are "theirs" and they are responsible for their protection, like parents worry about their children. They may fail to realize that it is not their property. It is the property of the owner(s) who have delegated protection of those assets to the corporate management team.
Management and other business employees are slow to realize the change to a more educated, intelligent and technical security profession. However, this change has been gradually taking place over the last several decades. The security profession has become more complex and requires far more skilled security professionals, not only in security-related functions, but also in various other disciplines of the business world.
So, who are these security professionals in the 21st century and what is their role in the world of business? To understand that, let's look at the reasons for the increased need for security professionals in today's business world.
THE NEED FOR SECURITY PROFESSIONALS IN BUSINESS
Is there a need for business security professionals today? The answer may be obvious if you are in the security profession. However, you may be surprised to know that there are many in the corporations of the world that might not agree with you. You may wonder how anyone in a corporate management or leadership position could think that way. Although you may be able to rationalize employees feeling that way, since many of the assets protection requirements can cause them to operate in a way that they do not agree with.
You should remember that most people prefer to operate without, or with minimal, constraints. That includes management. People are basically the same throughout the world, and this is basic human nature. Ask yourself if you like being constrained. The answer is: of course not. A business security professional must keep that in mind. After all, you must try to get people to understand the need for and value of complying with security requirements or "constraints" which are needed to protect business assets. An SMMP helps you make the case for those security requirements. If you can't make the case with or without an SMMP, then perhaps you are the one who is wrong in that situation. That is possible you know, and something you as a security professional should always think about when making assets protection decisions—is it possible that this decision is the wrong one?
However, the security professional should not take attitudes of other employees personally. After all, security specialists not only provide guidance and direction as they establish operating constraints, but security is also an overhead cost. Therefore, as you often will be reminded throughout this book, if not done effectively and efficiently, security can be a "parasite on the profits." Management, as well as the corporate owners, feel the same way about any other function within the business that is a "profit parasite." They want those functions to be as effective and efficient, and the least intrusive as possible on their core business activities.
All that said, then why have corporate security? If it is a publicly held company, a lack of security may at a minimum violate some government laws or regulations. In other words, the responsibilities of executive management include protection of assets and much of this is accomplished under the direction and control of security. Another reason assets protection is needed is the lack of trustworthiness of a small number of employees. Most employees are very conscientious and are honest enough to do the right thing regardless of any security staff or business policies. However, as is often the case, resources are allocated for security to protect the business and the honest employees. The goal is to protect them from the few who, for some reason, have it in their nature to take what does not belong to them or to do harm. Actually, if you are a security professional, you should thank those miscreants from around the world for being dishonest, even for only a moment. Why? Because you owe your job and the growth of the security profession to the miscreants of the world; without them, security professionals would not be needed.
So, yes, security is necessary. Without it, as without a law enforcement presence in societies, there would be uncontrolled losses of business assets and maybe even human lives. With that being said, as the leader of the security department and therefore the one responsible for the protection of corporate assets, you must still justify your decisions that impact productivity and other costs. As you can guess by now, we believe that the SMMP can help justify assets protection decisions.
One thing that is seldom talked about but helps rationalize security personnel and assets protection that is integrated into our daily lives and that is it is often a form of psychological security. (It makes us feel protected, although we may not be protected as well as we think. Some of it may be an illusion.) Think about it. How often do you hear about items getting through the airport checks, the fact that cargo is not checked, and other such security processes, and yet old ladies and children are included in random physical searches at airports and other locations. Let's face it; unless we want to live in a total police state—maybe even then—no one can protect people, information or facilities with 100% certainty that no one can get through the "security net" and steal, damage, or destroy some valuable asset. It is all a matter of deciding on what are acceptable levels of risks based on costs and benefits. As can be seen by the 9/11 attack, some management risk-related decisions can have a terrible impact on corporations and people.
Remember also that security costs money. Protection of people, physical assets and information costs an organization in terms of convenience, productivity and dollars. Executive management and security professionals make risk assessments based upon threats and vulnerabilities every day. If there is no specific threat, fewer resources are allocated for protection, regardless of the vulnerability. If the threat is high and controls in place leave the system vulnerable, then more resources may be allocated for protection.
In the case of airport and airline security controls, since the threat to the system pre-9/11 was presumed to be low, management at that time could get away with few or minimal security controls and less capable, poorly trained security personnel. They could afford to accept the risks associated with minimal security controls. In hindsight, now that the threat is better understood, it was a hard and costly lesson to learn. (Continues...)
Section I: Introduction to the Role of the Security Professionals and Security Metrics Management
Chapter 1: The Security Profession and Its Role in Supporting Business and Government Agency Assets Protection Needs
Chapter 2: Management and a Security Metrics Foundation
Chapter 3: Policies, Procedures, Processes, Plans, and Projects
Chapter 4: Security Metrics Management Program – An Overview
Chapter 5: Case Study: Measuring Costs of Security
Chapter 6: Case Study: Six Sigma
Section II: Administrative Security
Chapter 7: Information Security
Chapter 8: Personnel Security
Chapter 9: Security Education & Awareness Training
Chapter 10: Security Compliance Audits
Chapter 11: Surveys and Risk Management
Chapter 12: Corporate Assets Protection Program
Chapter 13: Contingency Planning
Section III: Physical Security
Chapter 14: Guard Force
Chapter 15: Technical Security Systems
Chapter 16: Locks and Keys
Chapter 17: Fire Protection
Chapter 18: Executive Protection
Chapter 19: Event Security
Section IV: Security Operations
Chapter 20: Investigations & Non-Compliance Inquiries
Chapter 21: Government Security
Chapter 22: Information Systems Security
Chapter 23: Mergers & Acquisitions Security
Chapter 24: Outsourcing
Section V: The Security Profession and Metrics Management in the Future
Chapter 25: Preparing Now to Support Future Business Needs
Chapter 26: Security Metrics Management Technology of the Future and How to Prepare Now to Use It
Our reader reviews allow you to share your comments on titles you liked,
or didn't, with others. By submitting an online review, you are representing to
Barnes & Noble.com that all information contained in your review is original
and accurate in all respects, and that the submission of such content by you
and the posting of such content by Barnes & Noble.com does not and will not
violate the rights of any third party. Please follow the rules below to help
ensure that your review can be posted.
Reviews by Our Customers Under the Age of 13
We highly value and respect everyone's opinion concerning the titles we offer.
However, we cannot allow persons under the age of 13 to have accounts at BN.com or
to post customer reviews. Please see our Terms of Use for more details.
What to exclude from your review:
Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the
information on the product page, please send us an email.
Reviews should not contain any of the following:
- HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
- Time-sensitive information such as tour dates, signings, lectures, etc.
- Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
- Comments focusing on the author or that may ruin the ending for others
- Phone numbers, addresses, URLs
- Pricing and availability information or alternative ordering information
- Advertisements or commercial solicitation
Reminder:
- By submitting a review, you grant to Barnes & Noble.com and its
sublicensees the royalty-free, perpetual, irrevocable right and license to use the
review in accordance with the Barnes & Noble.com Terms of Use.
- Barnes & Noble.com reserves the right not to post any review -- particularly
those that do not follow the terms and conditions of these Rules. Barnes & Noble.com
also reserves the right to remove any review at any time without notice.
- See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend
Create a Pen Name
Welcome, penname
You have successfully created your Pen Name. Start enjoying the benefits of the BN.com Community today.
Anonymous
Posted November 7, 2012
Protector sleeping quarters
-Raffin
Was this review helpful? YesNoThank you for your feedback.Report this reviewThank you, this review has been flagged.
If you find inappropriate content, please report it to Barnes & Noble
More About This Textbook
Overview
Security Metrics Management is designed to provide basic guidance to security professionals so that they can measure the costs of their assets protection program - their security program - as well as its successes and failures. It includes a discussion of how to use the metrics to brief management, justify budget and use trend analyses to develop a more efficient and effective assets protection program.
- Over 100 checklists, flowcharts, and other illustrations depict examples of security metrics and how to use them
- Drawings, model processes, model procedures and forms enable the reader to immediately put concepts to use in a practical application
- Provides clear direction on how to meet new business demands on the Security Professional
Product Details
Related Subjects
Meet the Author
Edward P. Halibozek is currently a corporate vice president of security for a Fortune 100 company headquartered in Los Angeles, California. He holds a Master of Science in Criminal Justice and an MBA in business. Mr. Halibozek is an experienced lecturer and has written and published many articles, papers, plans, policies and procedures related to corporate security.
Mr. Halibozek is the former Chairperson for the Aerospace Industries Association, Industrial Security Committee and is a member of the Board of Directors for the Chief Special Agents Association in Los Angeles California. Mr. Halibozek served for four years as an Industry member to the National Industrial Security Program Policy Advisory Committee (NISPPAC).
Read an Excerpt
SECURITY METRICS MANAGEMENT
How to Measure the Costs and Benefits of Security
By Gerald L. Kovacich, Edward P. Halibozek
Elsevier Science
Copyright © 2006 Elsevier Inc.All rights reserved.
ISBN: 978-0-08-049226-1
Excerpt
CHAPTER 1
The Security Profession and Its Role in Supporting Business and Government Agency Assets Protection Needs
This chapter will introduce and discuss the role of security in support of the needs of corporations and government agencies in today's global environment. It is provided to set the stage for a basic foundation for security, and assets protection managed through a security metrics management program.
INTRODUCTION
The world of the security professional has changed, as have so many professions, due to the technological changes and advances that have led to the phenomena of instant and mass global communications. Today's corporations can no longer afford to think locally or even nationally. Now, they must not only think globally but also compete in the global marketplace. Sure, some can survive in their small world of local or nation-based business (within a specific niche)—for now—but even they will be positively and negatively impacted by what is referred to as the "global economy."
Security professionals have been slow to recognize or admit that this change has impacted their profession. One just has to look at the ever-expanding threat agents and their sophisticated techniques for attacking corporate assets to see that the environment in which they work has changed and will continue to change, probably faster than ever before. However, that is only one of the many issues facing the security professional.
The role of security is often viewed in a much-maligned way—even by some security professionals. Employees (and that includes management) often consider security professionals as an extension of law enforcement. They imagine the security staff operating in an enforcement role, watching them and "making" them behave in a certain way—a way not necessarily conducive to good business practices, inconvenient and not in-line with their preferences. After all, today's employees are like most people. They are not receptive to constraints, particularly when they don't understand the reasons for them or the value the constraints bring to the business.
All too often, security professionals believe it is the "job" of employees to understand them and to be automatically supportive of them and security's role to protect business assets. The security specialists may grow impatient when they don't get the support they believe they need, require or deserve. After all, don't corporate employees understand how important the security job is? The answer is, "No, they probably don't and really don't think about it very often, if at all!"
When such an attitude is present, it is up to the security professionals to win over the employees with the help and support of management. This may not be what the security professional wants to do or hear, but in order to be a successful security professional and manage a successful assets protection program for the business, that is what must be done.
Yes, justifying one's job is not as enjoyable as performing it, but one way to look at it is to consider each new supporter as one more victory in the game of gaining assets protection program support. A security metrics management program (SMMP) can help the security professional explain security decisions, policies and practices in a way that employees and management can understand and appreciate—using the business language of costs and benefits instead of security lingo.
On the brighter side, the security profession has come a long way as a profession and is no longer using (in most cases anyway) what was often termed "the guard force mentality." The perception was, and is sometimes still true, that the security staff was made up of retired law enforcement or military personnel looking for a retirement job. Most of these individuals had little concept of the business world and of dealing with executive management whose priority is profits and not "following the rules" or "patriotism" at all costs.
Even today, retired law enforcement, intelligence or security professionals are often given the opportunity to lead security organizations in business over those business security professionals who "grew up" within the business. In many cases, executive management does not understand or appreciate the talents and the job done by the security professionals within their own companies. Furthermore, the security professionals have done a rather poor job of educating corporate management as to what it takes to be a 21st century security professional—and being an ex-spy or investigator is not the same as establishing and managing a corporate assets protection program. Again, using an SMMP can help the security professional, regardless of the prior background of the individual who is responsible for assets protection.
Another problem with some security specialists is that they may even consider that the business assets are "theirs" and they are responsible for their protection, like parents worry about their children. They may fail to realize that it is not their property. It is the property of the owner(s) who have delegated protection of those assets to the corporate management team.
Management and other business employees are slow to realize the change to a more educated, intelligent and technical security profession. However, this change has been gradually taking place over the last several decades. The security profession has become more complex and requires far more skilled security professionals, not only in security-related functions, but also in various other disciplines of the business world.
So, who are these security professionals in the 21st century and what is their role in the world of business? To understand that, let's look at the reasons for the increased need for security professionals in today's business world.
THE NEED FOR SECURITY PROFESSIONALS IN BUSINESS
Is there a need for business security professionals today? The answer may be obvious if you are in the security profession. However, you may be surprised to know that there are many in the corporations of the world that might not agree with you. You may wonder how anyone in a corporate management or leadership position could think that way. Although you may be able to rationalize employees feeling that way, since many of the assets protection requirements can cause them to operate in a way that they do not agree with.
You should remember that most people prefer to operate without, or with minimal, constraints. That includes management. People are basically the same throughout the world, and this is basic human nature. Ask yourself if you like being constrained. The answer is: of course not. A business security professional must keep that in mind. After all, you must try to get people to understand the need for and value of complying with security requirements or "constraints" which are needed to protect business assets. An SMMP helps you make the case for those security requirements. If you can't make the case with or without an SMMP, then perhaps you are the one who is wrong in that situation. That is possible you know, and something you as a security professional should always think about when making assets protection decisions—is it possible that this decision is the wrong one?
However, the security professional should not take attitudes of other employees personally. After all, security specialists not only provide guidance and direction as they establish operating constraints, but security is also an overhead cost. Therefore, as you often will be reminded throughout this book, if not done effectively and efficiently, security can be a "parasite on the profits." Management, as well as the corporate owners, feel the same way about any other function within the business that is a "profit parasite." They want those functions to be as effective and efficient, and the least intrusive as possible on their core business activities.
All that said, then why have corporate security? If it is a publicly held company, a lack of security may at a minimum violate some government laws or regulations. In other words, the responsibilities of executive management include protection of assets and much of this is accomplished under the direction and control of security. Another reason assets protection is needed is the lack of trustworthiness of a small number of employees. Most employees are very conscientious and are honest enough to do the right thing regardless of any security staff or business policies. However, as is often the case, resources are allocated for security to protect the business and the honest employees. The goal is to protect them from the few who, for some reason, have it in their nature to take what does not belong to them or to do harm. Actually, if you are a security professional, you should thank those miscreants from around the world for being dishonest, even for only a moment. Why? Because you owe your job and the growth of the security profession to the miscreants of the world; without them, security professionals would not be needed.
So, yes, security is necessary. Without it, as without a law enforcement presence in societies, there would be uncontrolled losses of business assets and maybe even human lives. With that being said, as the leader of the security department and therefore the one responsible for the protection of corporate assets, you must still justify your decisions that impact productivity and other costs. As you can guess by now, we believe that the SMMP can help justify assets protection decisions.
One thing that is seldom talked about but helps rationalize security personnel and assets protection that is integrated into our daily lives and that is it is often a form of psychological security. (It makes us feel protected, although we may not be protected as well as we think. Some of it may be an illusion.) Think about it. How often do you hear about items getting through the airport checks, the fact that cargo is not checked, and other such security processes, and yet old ladies and children are included in random physical searches at airports and other locations. Let's face it; unless we want to live in a total police state—maybe even then—no one can protect people, information or facilities with 100% certainty that no one can get through the "security net" and steal, damage, or destroy some valuable asset. It is all a matter of deciding on what are acceptable levels of risks based on costs and benefits. As can be seen by the 9/11 attack, some management risk-related decisions can have a terrible impact on corporations and people.
Remember also that security costs money. Protection of people, physical assets and information costs an organization in terms of convenience, productivity and dollars. Executive management and security professionals make risk assessments based upon threats and vulnerabilities every day. If there is no specific threat, fewer resources are allocated for protection, regardless of the vulnerability. If the threat is high and controls in place leave the system vulnerable, then more resources may be allocated for protection.
In the case of airport and airline security controls, since the threat to the system pre-9/11 was presumed to be low, management at that time could get away with few or minimal security controls and less capable, poorly trained security personnel. They could afford to accept the risks associated with minimal security controls. In hindsight, now that the threat is better understood, it was a hard and costly lesson to learn.
(Continues...)
Table of Contents
Chapter 1: The Security Profession and Its Role in Supporting Business and Government Agency Assets Protection Needs
Chapter 2: Management and a Security Metrics Foundation
Chapter 3: Policies, Procedures, Processes, Plans, and Projects
Chapter 4: Security Metrics Management Program – An Overview
Chapter 5: Case Study: Measuring Costs of Security
Chapter 6: Case Study: Six Sigma
Section II: Administrative Security
Chapter 7: Information Security
Chapter 8: Personnel Security
Chapter 9: Security Education & Awareness Training
Chapter 10: Security Compliance Audits
Chapter 11: Surveys and Risk Management
Chapter 12: Corporate Assets Protection Program
Chapter 13: Contingency Planning
Section III: Physical Security
Chapter 14: Guard Force
Chapter 15: Technical Security Systems
Chapter 16: Locks and Keys
Chapter 17: Fire Protection
Chapter 18: Executive Protection
Chapter 19: Event Security
Section IV: Security Operations
Chapter 20: Investigations & Non-Compliance Inquiries
Chapter 21: Government Security
Chapter 22: Information Systems Security
Chapter 23: Mergers & Acquisitions Security
Chapter 24: Outsourcing
Section V: The Security Profession and Metrics Management in the Future
Chapter 25: Preparing Now to Support Future Business Needs
Chapter 26: Security Metrics Management Technology of the Future and How to Prepare Now to Use It