Metrics for Success: Show How Security Incidents Hurt Productivity

May 21, 2010

When we talk about metrics, we tend to focus on cost of loss, response times, recovery times and incident trends. But what are the impacts of a security incident in terms of lost time and productivity? These are real impact costs, but they are often lost in the otherwise valuable discussions about vulnerabilities, perpetrators and investigative results. Metrics like these put another perspective on the true cost of safety and security breaches.
Strategy: In this example, we see a Security Manager who understands the need to take his or her metrics beyond common workload and incident reporting. This company has the benefit of a multi-departmental Security Committee that meets quarterly to consider each participant’s unique perspective on risk, analyze lessons learned and seek a 360-degree view of root causes. Working hand-in-hand with HR and affected business units, the Security Manager’s team has smartly built and maintained a data file on the time spent by business unit and other non-security personnel on selected incidents involving security intervention. While it is not seen here, Security rounds out the perspective with a companion set of metrics that tracks investigative costs and documents the root causes and other relevant results from investigative post-mortems. This approach provides a far more comprehensive and instructive picture of the implications of various incidents and enables a more constructive process of corrective action.

In the graphic above, we see three years worth of data on four incident categories: termination, malicious incidents, workplace violence and workplace accidents. The cost is based on a melded labor rate of $52 per hour. (This rate considers the combined average hourly rate of individuals impacted by the events, plus all benefits, divided by 2080, which is the number of hours in one work year.)

Termination: This refers to the time required to address an employee termination for cause once the line manager and HR have made the decision to terminate. (A far bigger hourly and cost figure may be seen when you consider time lost dealing with the evaluative and corrective actions that have to be taken prior to the termination decision). Termination drains productivity in several ways: the time taken to conduct the risk assessment, the time taken by HR and business units in the replacement process, productivity lost from the terminated employee, and the time necessary to get the replacement fully functional in the job.

Malicious Incidents: These events typically impact or otherwise interrupt business processes and could range from vandalism caused by labor unrest to the impact of virus and malware on the information infrastructure and business processes. Many incidents in this category have dramatic post-event productivity impacts involving business outages and extensive restoration times at process-critical workstations.

Workplace Violence: We often focus on the time victims and security personnel spend in dealing with violence in the workplace. But these cases often have preceding and ongoing incident management and productivity implications as well. Victims of domestic violence — often with restraining orders — take more days off of work and function less effectively on the job, and the efficiency of their colleagues and supervisors may also be impacted. This is especially true where on-the-job workers are the adversaries.

Workplace accidents: This Security Manager has safety in his portfolio. The company employs day workers and temps who create high turnover and who may not be familiar with or attentive to safety rules and procedures. The manager recognizes that a workplace accident is likely to impact the productivity of any individual injured, and he is also sensitive to the fact that there could be longer-term impacts in escalating insurance rates and regulatory sanctions.

This Security Manager did not build a complex database requiring hours of input and analysis. In each event category, data estimates of productivity impacts were gathered as part of investigative findings on financial impact/loss or as a component of incident post-mortems. When we take metric snapshots on one factor alone, we may lose the opportunity to effectively connect these risk events to improved business knowledge. The value is in the ability to provide management with a more complete picture of Security’s view of enterprise risk management.

George Campbell is emeritus faculty of the Security Executive Council (SEC) and former CSO of Fidelity Investments. The SEC is a problem-solving research and services organization that involves a wide range of risk management decision makers. For more information about the Council, visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.