
119
13Chapter
Information Security
Management Metrics
Managing information security will typically require a variety of decisions includ-
ing those involving strategy and management as well as those in administration
and operational areas. Clearly, the information or feedback needed will be very
different for making prudent decisions in the various areas and, consequently, the
metrics needed will be quite different.
Metrics serve only one purpose: decision support. We measure to manage.
We manage to meet objectives in order to achieve desired outcomes.
Strategic measures and metrics for governance are discussed in Chapter 10 and are
basically the nav ...