
13
2Chapter
Security Metrics
Security metrics are not well developed outside of a narrow range of IT-centric
measures. While these measures may be useful for managing specific technologies
such as patch management or server hardening, they are of little use in “manag-
ing” overall security. at is, there is not much available to determine the overall
effectiveness of the aggregate assurance processes much less the parts identified as
security. ere is little to guide the direction of a security program or provide the
basis for making good decisions.
Indeed, Andrew Jaquith of the Yankee Group expressed it well at the Metricon
1 metrics conference i ...