Description:
Currently Measure and Improve requires 3 metric categories: effort, result and environment. However the contribution of these metrics towards lowering the security risk is not given. For example, effort metrics mention training hours though the number of training hours is not necessarily a good proxy for security awareness.
Acceptance criteria:
Improve the description for maturity level 1 activity. The "best practices" outlined here are informal and I'd use J. Rosenberg's paper on "Statistical Methods and Measurement" as a starting point for describing what an effective metric is and what are the various pitfalls when setting up metrics.
The quality criteria and answer options should reflect on the newly defined concept of what an effective metric is.
Description: Currently Measure and Improve requires 3 metric categories: effort, result and environment. However the contribution of these metrics towards lowering the security risk is not given. For example, effort metrics mention training hours though the number of training hours is not necessarily a good proxy for security awareness.
Acceptance criteria: