
67
6Chapter
The Metrics Imperative
It is generally agreed that there are few activities that can be managed well without
decent metrics. e fact that many information security managers do manage ade-
quately with just technical metrics, some notion of good or best practices coupled
with experience, a modicum of intuition, and a bit of luck would seem to suggest
that isn’t entirely true. If in addition, trends show that the overall results from secu-
rity activities are consistent with expectations, impacts are acceptable, and costs are
reasonable, this may seem adequate to the majority of organizations. However, this
often results in a dangerous ...