To find data for your metrics, look to inventory or survey risk outcome costs from accidents, business interruptions, crimes, injuries, litigation, turnover, etc. Sources of this data may likely be external to the organization; for example, Bureau of Justice Statistics, crime compensation research, European Sourcebook of Crime Statistics, National Crime Victimization Surveys and other sources of research on the cost or economics of crime, violence and injury.
The following are some examples of sources of internal data for security metrics:
The security leader and his team at an aircraft manufacturer used this method to research external cost of emergency response. They were able to effectively demonstrate the savings the company could achieve by running the program internally. As we examine the incident response rates against risk outcomes we really get to the value assertions Security needs to demonstrate that we have a return on investment.
As an example, let’s say we know that the average cost of a homicide or assault in the business environment is X. We can use cost avoidance attribution because we are undertaking activities that lend themselves to a safer workplace. Using available per population crime statistics Security may be able to report that the organization has avoided any number of incidents that might otherwise be valued at Y.
The organization begins to understand that had they experienced those negative incidents insurance would be increasing. Management distractions and business interruptions would occur. Security can then make the case that unwanted incidents in an otherwise prospering environment will have a negative impact on the business and they can “connect the dots” to show that Security preventing or mitigating those incidents is resulting in hard cost savings.
These are a few of the things to start to look at as when attempting to get into where the data resides in your organization. Make sure that you understand what the relevance of the numbers are; what the priorities of the business are; where the cultural sensibilities lie; and align any reported metrics with a good explanation that demonstrates the value security offers.
Answer provided by Francis D’Addario, former CSO of Starbucks Coffee Company and SEC Emeritus Faculty of Strategic Innovation, during an SEC Security State of the Industry discussion for Tier 1 Leaders™.