Performance is often measured of terms of economic impact, and based on the more than 93 Million dollar, two year IT overhaul that is planned for the Office of Personnel Management, you could say there is a significant impediment to performance. Obviously the OPM should have been doing more to reinforce their security, and encrypt the valuable and private information of federal employees. As these changes develop over the future, there are 4 major measures used to categorize information security effectiveness:
Implementation, or the percent at which progress is made. As alarms and encryptions are installed across OPM’s networks, system and agency level performance evaluations should be conducted in order to analyze the appropriate implementation of sound security strategies.
Effectiveness is the measure of the extent a security control works and achieves it’s desired outcome. For instance, if OPM adopts two-factor authentication, as many federal agencies had required for remote log-ons since well before the 2015 breach [1], we can gauge the results against the breaches that took place before they implemented two-factor authentication, and measure it’s effectiveness.
Efficiency, in other words, the measure of control performance in consideration to the time and resources allocated, is simple to measure, in regards to the Office of Personnel Management breach of 2015. Any measure, in regards to protected employees work history, contacts, and personally identifiable information, would be justifiable in the name of asset protection. As the CIA pulled potential spies from it’s embassy in Beijing [2], it’s apparent that missions were compromised, and the “security measures” that were in placed we obviously ineffectual, and any protection implemented that would maintain the privacy and cover of federal employees would be considered efficient.
Which leads us to Impact. Impact demonstrates the effects of information security (or the lack thereof) on an organizations mission. It is possible that too much security can impede the actual job at hand, but it seems more apparent to me, in the example of the OPM data breach, that the lack of info sec can have just as much impact on the mission at hand.
[1] https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/