In this directory tips & tricks for improving measurement mechanics into your organization.
There's a Dutch saying called 'Meten is weten'. It basically implies if you measure something, you are able to understand it better. Sounds easy right? It's not. Folks find it really difficult to actually come up with something tangible. This was the main reason for me to publish any relevant content I produced or found online. This way, we can all participate in improving measurement.
Let me know what you think! @gertjanbruggink
May 2019, I published a little cheatsheet to be used for measuring Cyber Threat Intelligence. I was inspired by a talk* by @MarSChauvin & @t_gidwani on CTI metrics. From that moment on, I try to keep anything related to measurement & CTI in a central thingy. Per Jan 2020, i've moved details to this repo to make it easier for me to update the set and for you to plug/contribute the latest details. The latest update to the doc is from Jan 2023. The major lesson learned so far is that the metrics have not changed that much over the years. How we combine them together to tell a story did. Ration if you will. How this impacts your organization in practice is something you have to understand within the context of your own organization.
Target audience division when concerned about CTI metrics:
- Strategic; Executive teams, C-level, CISO, business reps
- Tactical ; SOC managers, Information security officers, business reps
- Operational; Security analysts, CTI analysis, Incident responders, business reps
Few personal considerations:
- I believe mature CTI metrics are correlated with business goals, outcomes and enablement. You measure on performance & effectiveness.
- Measurement is only possible by clear alignment with audience & stakeholder(s); understanding what they need and define PIRs (Priority intelligence requirement) accordingly. PIRs guide improvement of metrics, and supporting technology required.
- When organizations reach intermediate phase, KPIs generally continuously become reviewed, refined and defined. In essence is this done by (re)defining PIRs for each stage of the clients specific intelligence cycle and governing it through an dedicated intelligence program.
- Higher vs lesser value is based on stakeholder & community feedback, qualitative review of existing metrics and quantitative tracking through a maturity model (build for my previous employer).
*Source:https://www.first.org/resources/papers/london2019/1130-How-to-Get-Promoted-Gidwani.pdf
For more information on how cyber threat intelligence metrics relate to an overall capability: https://github.com/Errum/IntelArchitectureMap
Added after building some measurements for a client.