106 ◾ Information Security Metrics
Each of the attributes in turn has suggested metrics enumerated in the table in
Appendix E.
If a CobiT or ISO 27001 approach to developing control objectives is utilized,
the relevant metrics for strategy development will be the extent to which those
objectives are addressed by the strategy.
If the capability maturity approach is used to set objectives, the metrics for
strategy development will be the improvement in maturity that will occur as a
result of implementing the strategy.
In other words, at this level, the metrics are tied to the methodology used for
setting and dissecting the information security objectives that the strategy is devel-
oped to address. A review of Chapter 2 should provide guid