Goal Question Metric: Are Your Metrics Are Any Good
You want to create some metrics. More importantly, someone has told you that you need to create some. How do you know if you’re just making work for yourself or if you’re just putting a spin on the same old data?
Ask yourself what the goals are.
In trying to determine what to measure in order to achieve those goals, I recommend using a Goal-Question-Metric (GQM) paradigm. It can actually be applied to all life-cycle products, processes, and resources. I’ve been using this process for years and it really helps me create a quality metric, independent of the processes lifecycle.
The GQM paradigm is based on the theory that all measurement should be  goal-oriented i.e., there has to be some rationale and need for collecting measurements, rather than collecting for the sake of collecting. Each measurement collected is stated in terms of the major goals.  Questions are then derived from the goals and help to refine, articulate, and determine if the goals can be achieved.  The metrics or measurements that are collected are then used to answer the questions in a quantifiable manner.
Here is an example of the GQM in action:
Goal One: Maintain a maximum level of customer satisfaction
Question One – What is the current help desk ticket trend?
|Metric 1||Number of help desk tickets closed|
|Metric 2||Number of new help desk tickets open|
|Metric 3||Total number of help desk tickets open|
|Metric 4||% tickets outside of the upper limit|
|Metric 5||Subjective rating of customer satisfaction|
Question Two- Is the help desk satisfaction improving or diminishing?
|Metric 6||Number of help desk calls abandoned|
|Metric 7||Number of help desk calls answered|
|Metric 8||Number of help desk calls sent to voicemail|
|Metric 9||Subjective rating of customer satisfaction|
As the great Lord Kelvin once said, “If you can not measure it, you can not improve it.”
While the basic concept of goal-question-metrics is simple and well understood, not everything can be objectively measured: A ‘balance scorecard’ offers a much better framework.
In case of cyber security, a good measure is ‘how effective are the security controls in reducing material risk ?’ at a tactical level, ‘how many person-hours does it take to resolve a security incident ?’ ..
Asking the right questions is the key..