PRAGMATIC Security Metric of the Quarter #6

The league table for another 3-month's information security metrics shows a very close race for the top slot:

Metric	P	R	A	G	M	A	T	I	C	Score
Power consumed by the computer suite versus air conditioning capacity	81	69	89	92	80	99	98	90	98	88%
Security governance maturity	95	97	70	78	91	89	90	85	90	87%
Business continuity plan maintenance status	75	75	90	73	84	76	80	77	93	80%
Number or proportion of security policies addressing viable risks	65	76	91	73	83	77	70	61	78	75%
Quality of security policies	80	85	40	66	72	75	80	80	80	73%
Number of controls meeting defined control criteria or objectives	88	86	88	65	78	60	26	90	70	72%
Corporation's economic situation	72	80	10	80	80	80	61	80	79	69%
% of highly privileged or trusted users or functions	86	80	51	40	65	39	55	95	60	63%
Time lag between incident and detection	80	70	72	30	75	50	50	65	65	62%
Number of unapproved or unlicensed software installations identified on corporate IT equipment	58	55	82	73	86	47	64	66	17	61%
Extent to which QA is incorporated in information security processes	75	70	66	61	80	50	35	36	50	58%
% of incidents for which root causes have been diagnosed and addressed	85	85	67	40	77	40	48	16	40	55%
Psychometrics	40	24	0	79	15	55	10	42	5	30%

[Click any metric to visit the original blog piece that explained the rationale for ACME's scoring.]

Hopefully by now you are starting to make out themes or patterns in the metrics that score highly on the PRAGMATIC scale.

Having so far discussed and scored more than half of the example metrics from the book, plus a bunch more metrics from other sources, there's a fair chance we have covered some of the security metrics that your organization currently uses. How did they do? Do the PRAGMATIC scores and the discussion broadly reflect your experience with those metrics?  

We would be amazed if your metrics rate exactly the same as ACME's but if any of your scores are markedly higher or lower, that itself is interesting (and we'd love to hear why - feel free to comment on the blog or email us directly). The most likely explanation is that you are interpreting and using the metric in a way that suits your organization's particular information security management needs, whereas ACME's situation is different. Alternatively, it could be that you are applying the PRAGMATIC criteria differently to ACME (and us!). To be honest, it doesn't matter much either way: arguably the most important benefit of PRAGMATIC is that is prompts a structured analysis, and hopefully a rational and fruitful discussion of the pros and cons of various security metrics.