I've been doing some research on control effectiveness. I am aware of many standards such as PCI, FISMA, ISO 27000, etc. I am also aware of the SANS Top 20 controls, the AUstralia top 35 strategies to mitigate threats, but what I am having trouble digging up is rough data on how effective each control is. I would love to see some numbers. I know each control can have a percentage attached to it (maybe Antivirus is only installed on 80 of windows servers for example), but I'd love to see numbers I can take to the CFO or CEO to better calculate the effectiveness. For IT security controls, one could leapfrog off of NSS labs, but what about other control processes? I know CMMi and could help devise a system to see the maturity of a particular control, but without doing metrics is there anything solid I can point to? Some kind of actuarial-type table?
I can see collecting metrics before and after to help better facilitate better numbers. What are your thoughts? Does anyone have such data? I know the numbers are so variable depending on all kinds of factors such as, insider verses outsider attacks, background checks, network segmentation, security awareness training, etc. etc. etc. Some controls work in concert with one another so I'll appreciate any links.