Balanced Scorecard for Information Security Introduction

Article
05/06/2008

Executive Summary

Information security professionals traditionally had difficulty trying to justify their existence. IT security staff agree there should be some security controls in place, but trying to validate a defense in depth approach is difficult. Organizations have tried to use Return on Investment (ROI) and Return on Security Investment (ROSI) as a method to prove the value in security controls with varying degrees of success. ROI and ROSI don’t always work for an organization’s information security goals.

The Balanced Scorecard is an accepted business framework for showing progress on organizational goals. Balanced Scorecard has been around for 15 years. It was originally an idea proposed by Robert Kaplan and David Norton and published in the article "The Balanced Scorecard: Measures that Drive Performance", Harvard Business Review Jan – Feb pp71-80. The Balanced Scorecard has been used as a method to demonstrate progress on intangible business goals.

Information security is a required business function that has been difficult to quantify objectives. The Balanced Scorecard framework and its focus on intangible and difficult to monetize goals make it a perfect presentation method for information security metrics to executive management.

Balanced Scorecard background

The Balanced Scorecard (BSC) was originally introduced in 1992 when Robert Kaplan and David Norton published the initial document "The Balanced Scorecard: Measures that Drive Performance", Harvard Business Review Jan – Feb pp71-80. It has been adopted by businesses and business schools. The BSC framework starts with an organizations building its vision and strategy. The framework uses scorecards to show progress on the strategy. Progress on strategy is a much easier gauge for information security managers to prove progress. The Balanced Scorecard allows managers to look at the business from four different perspectives. In the words of Kaplan and Norton, it provides answers to four basic questions:

How do customers see us? (customer perspective)
What must we excel at? (internal perspective)
Can we continue to improve and create value? (innovation and learning perspective)
How do we look to shareholders? (financial perspective)

Figure 1 is a sample BSC framework which highlights the four perspectives:

Figure 1

Based on management’s decisions as to what the desired result should be, management and others in the organization then establish goals and objectives to work toward the desired result, the vision. Measurements are then established to track progress towards those goals.

Information security is an area of IT management that is not short on the amount of data that is created by log files from multiple application and device sources. The amount of information can at times be overwhelming. Organizing the data output in a way that it can be easily tracked and mapped to strategy can be of great help for information security managers.

Problems with Information Security Justification

Almost all information management organizations have large amounts of data. The problem that most managers have is how to take all of that information and turn it into something that is meaningful. Another issue is that in traditional metrics views, one metric may seem completely out of place when placed side by side with another. An example would be a traditional information security dashboard may have VPN connections denied on the same page as the output from an Intrusion Detection System. All of this data in its raw format place on the same page may make sense to a security manager, but when shown to executive management it does not communicate in terms the executive management can understand and act upon.

Risk management has been used as a way for security managers to show ROSI. Risk management is a process that assesses risk, and based on the decisions made identifies controls to reduce the risk to an organization. Identification of risk and the placement of controls are a very important task for security organizations. The complete process is displayed below in figure 2.

Figure 2

When assessing and identifying risk, the risks are quantified based on series of estimates. The first figure, Single Loss Expectancy (SLE), is created by estimating the revenue loss that may be realized in a single security incident. The second figure, Annual Rate of Occurrence (ARO), is determined by estimating the number of times an incident could occur in a year. The final figure, Annual Loss Expectancy (ALE) is calculated by multiplying the SLE by the ARO. The ALE is then used as an indicator to how much money should be spent on the security controls that should be put in place to mitigate a specific risk. This is a gross over simplification of risk monetization, but it does demonstrate the amount of guesses involved in calculating ALE.

Many security organizations equate ALE to ROSI. That is also an over simplification and many managers are beginning to refute this as a solid basis for definitive proof of investment justification. By no means is risk management a futile task, and it should be conducted by all organizations to help identify risk and prioritize security controls. For more a much greater review of risk management, see the Microsoft Security Risk Management Guide, https://www.microsoft.com/downloads/details.aspx?familyid=C782B6D3-28C5-4DDA-A168-3E4422645459&displaylang=en.

Balanced Scorecard as a resolution to problem areas

The Balanced Scorecard can be used to frame information security in a way that it can be easily understood by executive management. Using BSC a security manager can use the many difficult to understand metrics that are collected by information security controls and put them into a context that makes sense. Even when combining seemingly disparate data, BSC can help a security manager create views that will map complex information up to the high level business objectives of an organization.

Since Balanced Scorecard has reached acceptance in executive management circles for some time it is much easier to match management decisions to aligned security metrics. In the case of risk management a Balanced Scorecard framework can remove monetization from the high level view. This allows a security manager to highlight strategy progress on risk instead of on whether specific risk estimates are valid for their organization.

Other benefits of Balanced Scorecard adoption for information security

The Balanced Scorecard is designed as a strategic tool for organizations. Fundamentally, the organization develops strategy, develops goals to achieve those strategies, and measures the progress towards the goals through Key Performance Indicators (KPI’s). When framing information security into a model that is designed around goals, the practitioner is forced to communicate security objectives into terms that align with corporate strategies. This often changes the discussion of information security more along the lines of corporate strategy, which proves helpful for discussions with senior management as well as managers in other departments.

Conceptual Design

How does one go about adopting a Balanced Scorecard for information security? The following sections will explore the concepts of Balanced Scorecard implementation. When creating a balanced scorecard an organization must have the correct input to be effective. The stake holders in a balanced scorecard should be: security management, security strategists, security auditors, security metric owners. These individuals will be able to help identify strategy, metrics and other helpful information. Information Security managers must consider how to present their data in a manner that will most effectively convey progress on their strategy. A BSC framework could be used to enhance any of the IT methodologies in existence. For this example we will use ISO l7799 as a basis for strategy.

Information Security Program Strategy

When considering Information Security strategy, one must remember to keep the high level ideas simple, even if the technical execution of the strategy may be complex. Balanced Scorecard will adopt the high level strategy points. These strategy points can then be mapped to actual security metrics. How the metrics are mapped back to strategy will vary from organization to organization.

A suggested approach is to organize information security frameworks along easily understood descriptions. In the following diagram, any security event can be described as some event taking place on an asset that has an organizational impact:

Categories in a framework like ISO 17799 can be organized in very general terms, so vulnerability management can be anything to do with protecting the asset. For those security events which actually involve humans as the threat actors, controls that are specific to people can be grouped as Security Awareness and Education. Finally, accessing the asset in question is a function of the physical and cyber access control mechanisms involving the asset. In this case, the follow on picture becomes:

And the ISO 17799 categories are grouped as follows:

ISO Categories	Security Programs
Policies	Security Awareness and Education
Human Resources Security	Security Awareness and Education
Physical and Environmental Security	Access Control
Access Control	Access Control
Communications and Operations Management	Vulnerability Management
Information Systems Acquisition, Development and Maintenance	Vulnerability Management
Information Security Incident Management	Vulnerability Management
Business Continuity Management	Business Continuity
Compliance	Compliance

In this way when the senior management asks to drill down on measurements, the first level organization along the lines of information security can be easily described and understood. Business continuity and compliance typically are terms that are more readily understood by audiences not involved with information security.

Below is a set of example objectives based on the balanced scorecard pillars of (F) Finance, (C) Customer, (I) Internal Process, (L) Learning and Growth:

Security Awareness and Education
- (F) Lower security incidents
- (C) Increase customer confidence
- (I) Improve security adoption in internal applications
- (L) Improve security awareness

Access Control
- (F) Control access to reduce financial loss
- (C) Allow customers access to customer based resources
- (I) Ensure that employees set access correctly
- (L) Allow users to access resources required to grow the business

Vulnerability Management
- (F) Reduce financial loss due to vulnerabilities
- (C) Do not expose customers to vulnerabilities
- (I) Ensure that risks do not affect day to day operations
- (L) Learn from security incidents

Business Continuity
- (F) Ensure the business continuity when events happen
- (C) Provide customer service during a continuity event
- (I) Test business continuity processes
- (L) Ensure all employees are aware of business continuity processes

Compliance
- (F) Comply with all mandated regulations
- (C) Comply with quality regulations
- (I) Ensure all employees understand compliance measures
- (E) Continually review compliance measures to ensure continued growth

Conclusion

While this description is intended to provide a sample of the kinds of approaches that can be taken, it should by no means be considered as anything but a starting point. The ideal implementation would be one where the organization’s goals are well-defined and the information security team can directly map their efforts to the broader organizational goals.

Even without organizational goals, the information security professional can develop departmental goals. That effort can facilitate an improved executive communications tool. The result could replace the existing reports which may be overly technical or require an education in information security in order to be successfully digested. The improved executive communication can in turn win the information security organization needed executive sponsorship.

Feedback

Please direct questions and comments about this guide to secaware@microsoft.com.