Two free risk-management guides provide directions on how to establish corporate security metrics. The guides, aimed at security professionals, will also offer tips on organizing risk-assessment and presenting findings.

The Center for Internet Security's Security Metrics 1.0 is a pithy compilation of 20 "metrics definitions" covering six areas: incident management; vulnerability management; patch management; application security; configuration management; and financial metrics. The 83-page paper shoots for a mathematical approach that lets an organisation build a scorecard for each category to assess and chart progress-or decline-in each of the six security-management areas.

But as impressive as this effort is, "Security Metrics 1.0" acknowledges that trying to determine a proper range for security spending - often defined as a percentage of the overall information-technology budget--remains hard to determine.

"It is elusive," admits Bert Miuccio, CEO at Center for Internet Security (CIS), which has about 130 members, 90 of them representing end-user organisations. When it comes to spending goals, the "Security Metrics 1.0" guide begs off on the question of a security spending goal, stating "no strong consensus" exists and advises looking to what "peer organisations" with "similar IT profiles" might be doing since more data about it is needed.

But that shouldn't stop companies from investigating the do-the-maths approach defined in Security Metrics 1.0.

"The rationale for releasing these metrics definitions is so organizations can start tracking and reporting on these areas, including budget, in a consistent and repeatable way, and begin sharing that that data with each other," says Miuccio.

The second risk-management guide published this week, entitled Technical Guide: Requirements for Risk Assessment Methodologies, is from the Open Group's security division and it advises on practices that involve planning interactions between auditors, security managers, and the business side, including legal.

The 28-page document is a high-level guide that philosophically looks at the pros and cons of various risk-assessment approaches, including testing, sampling and questionnaires. For instance, while testing can reveal holes, the downside is that "passing a test can lead to a false sense of security," the Open Group's study notes.

According to Open Group's vice president of security, Jim Hietala, future technical efforts will include work on what's called the Automated Compliance Expert Markup Language (ACEML). This is intended as a set of standards for risk assessment, which when implemented in vendor equipment, would allow for automated reporting.

"It's to define a standard for computer systems platforms to share compliance settings," says Jim Hietala, noting that this process tends to be more manual today. IBM is taking the technical lead on the effort, Hietala said.