Six Sigma for Security, Part 3: Analyzing the Data
Making security measurable is only the beginning of Six Sigma for Security. The purpose of security metrics is not the metrics themselves but what you do with them. The next phase is to analyze the data and find opportunities for improvement.
The analysis phase is what makes Six Sigma stand out. In it you will use statistics to find where you can make improvements. There are two improvements in your measurements that are important: 1) average performance; and 2) variation.
Your average performance is an important measurement because it allows you to track and trend how well you are doing at protecting information assets. But performance may vary widely around an average. For example if your average turn around on a user termination is 15 days, it may be that half of your requests are 30 days. Some may even linger for 90 days. This is very wide variation around the 15 day average.
Your goal in the analysis phase is to quantify variation and identify factors that can positively influence your performance. This is accomplished by using a variety of statistical analysis tools.
One of the most popular and easy-to-use tools is Pareto analysis, which allows you to quickly find the biggest problem areas in your metrics. It also results in a distinctive chart that shows you frequency and a cumulative percentage to visually quantify the impact of improvements.
Analysis is one of the most challenging phases of Six Sigma. Until now the process has been very consistent and predictable. In this phase, you may try analyzing data one way, find nothing worthwhile, and try it again in several different ways. It is a trial and error process in which you don't stop until you find something of significance that can lead to improvement.
At the end of the analysis phase you should end up with root causes for problem areas in your security metrics. If you are confident that you have arrived at the root cause, you are ready to move on to the improvement phase.
Learn more about Six Sigma tools on Wikipedia.
Labels: Security Process
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home