How Can Metrics Be Used to Persuade Executive Management to Improve Security?

In an organization, there are several methods one can utilize to persuade management to improve security; one of these is through the use of metrics. Some metrics that can be beneficial in the task of showing management the reasons why security needs to be increased are to comprise crime data of the surrounding area and then compare that data to the organization’s crime statistics, looking for any room for improvement. Additionally, by taking the number and financial cost of all security incidents in a given year, you can take that cost and see if enhancing the security systems would be less than the loss of events during that year. If the organization uses an MSP for security, you could weigh the costs of that vendor versus hiring your own security department, thus showing if you are getting a fair deal. By using metrics and data in the form of a sophisticated presentation involving charts and graphs, the organization can be given an easy to comprehend outlook on what the company’s security is doing, what it can do, and how much it would cost to upgrade it.

You could also perform research and analysis of each piece of hardware, software, or policy in the security system, compiling data such as the average number of incidents in a year, cost per incident, cost per the item, cost per annual maintenance, and costs of the personnel which operate it. Furthermore, rising and emerging types of attacks both in the digital and physical front can be researched, and the data can then be presented to help motivate management to fight back. Some common methods to ‘scare’ management into providing extra funding for security measures is to quickly summarize recent attacks on other organizations, such as ransomware, and the cost and impact to the organization. While scare tactics might not necessarily be ethical, they often work.

Finally, an excellent metric to use to influence management to increase security systems is to use an intrusion test, where an authorized individual (who is unauthorized in the system), attempts to access the facility using multiple means and areas of entry; the data accumulated from their activities should be compiled into data and metrics, showing how easy or difficult it was to gain access, what they had access to, what could have been done to thwart them, and how much that new system or policy to prevent their access would cost.

Wailgum, T. (1 Feb 2005). Metrics for Corporate and Physical Security Programs. Retrieved February 24, 2020, from

Fennelly, Lawrence J. (28 Nov 2016). Butterworth-Heinemann; 5th edition. “Effective Physical Security.”

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s