
63
5Chapter
Relevance
A discussion of security metrics suggests it is critical to understand what we
are attempting to measure, why we want to measure it, and what it means to
our organization. Is it a degree of safety? Are we looking for statistical cer-
tainty? Predictions? Or do we merely want feedback about what works and
what doesn’t?
e literature is full of approaches to security metrics. Vendors have dozens of offer-
ings around security metrics. e questions that don’t seem to be asked or answered
are, “What are we measuring, what does it mean, and who needs to know?”
No doubt some will say, “Hold on. We know what we are measuring. We mea- ...