As you look to improve in any endeavor, it helps to have a view of where you are and a vision for where you need to go. This improvement will need to be continuous and will need to be measured. The requirement of being “continuous and measurable” was stated as one of the main outcomes of this how-to book. Continuous measurements that have a goal in mind are called “metrics.” To that end, this chapter provides an operational security-metrics maturity model. Different from other analytics-related maturity models (yes, there are many), ours starts and ends with predictive analytics.

This chapter will begin to introduce some issues at a management and operations level. Richard Seiersen, the coauthor who is familiar with these issues, will use this chapter and the next to talk to his peers using language and concepts that they should be familiar with. Richard will only selectively introduce more technical issues to illustrate practical actions. To that end, we will cover the following topics:

• The Operational Security Metrics Maturity Model: This is a maturity model that is a matrix of standard questions and data sources.
• Sparse Data Analytics (SDA): This is the earliest metrics stage, which uses quantitative techniques to model risk based on limited data. This can specifically be used to inform new security investments. We provide an extended example of SDA using the R programming language at the very end of this chapter. This is optional ...