[WEBINAR] The New Normal: Dealing with the Reality of an Unsecure World

How can security be measured?

Q: How can security be measured?

A: IT security is, by nature, an intangible and hard-to-measure objective or service. It can be extremely difficult to accurately evaluate the benefit of security provisions, or to see how well security systems work. However, within the security industry, some best practices have emerged for measuring the efficacy of security strategies and systems.

One way to measure IT security is to tabulate reports of cyberattacks and cyber threats over time. By mapping these threats and responses chronologically, companies can get closer to evaluating how well security systems have worked as they are implemented. Companies can also survey point people who are in key security positions to provide for a kind of "risk perception" that will also feed into security benchmarking. Some experts recommend tracking security return on investment by asking the right questions of those who work on the front lines of cyber security and taking all of the incoming data to provide a bigger picture for security results.

Companies can also promote accuracy and security measurement by breaking security down into its various components. For example, endpoint security is the specific implementation of security practices for data endpoints like smartphone screens, tablets and PCs. Other aspects of data security involve data in use over a network, where professionals may use network checkpoints to establish security benchmarks, or measure security in other ways.

For many IT professionals, security measurement is an "input in, input out" process where security experts aggregate data about cyber threats, feeding it into a database and coming up with informative reports. These types of sophisticated analysis help to drive the evaluation of security practices and help human decision-makers deal with change management for security strategies. In general, IT security involves a "security life cycle" with multiple steps and stages to respond to threats, rather than just providing a static type of protection.

Have a question? Ask Techopedia here.

View all questions from Techopedia.

Techopedia Staff
Profile Picture of Techopedia Staff

At Techopedia, we aim to provide insight and inspiration to IT professionals, technology decision-makers and anyone else who is proud to be called a geek. From defining complex tech jargon in our dictionary, to exploring the latest trend in our articles or providing in-depth coverage of a topic in our tutorials, our goal is to help you better understand technology - and, we hope, make better decisions as a result. 

 Full Bio
Free Whitepaper: The Path to Hybrid Cloud
Free Whitepaper: The Path to Hybrid Cloud:
The Path to Hybrid Cloud: Intelligent Bursting To Amazon Web Services & Microsoft Azure
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.


  • E-mail is not a threat. (Postal mail) is universal. The Internet is not.
    - USPS spokesperson Susan Brennan, in a 2001 Wired article.