book

IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data

Name: IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data
Author: Lance Hayden
ISBN: 9780071713412

by Lance Hayden

August 2010

Intermediate to advanced

396 pages

12h 21m

English

McGraw-Hill

Read now

Unlock full access

Cover Page
It Security Metrics
Copyright Page
Contents
Foreword
Acknowledgments
Introduction
Part I Introducing Security Metrics
1 What Is a Security Metric?
Metrics and MeasurementMetrics Are a ResultMeasurement Is an ActivitySecurity Metrics TodayRiskSecurity Vulnerability and Incident StatisticsAnnualized Loss ExpectancyReturn on InvestmentTotal Cost of OwnershipThe Dissatisfying State of Security Metrics: Lessons from Other IndustriesInsuranceManufacturingDesignReassessing Our Ideas About Security MetricsThinking LocallyThinking AnalyticallyThinking AheadSummaryFurther Reading
2 Designing Effective Security Metrics
Choosing Good MetricsDefining Metrics and MeasurementNothing Either Good or Bad, but Thinking Makes It SoWhat Do You Want to Know?Observe!GQM for Better Security MetricsWhat Is GQM?Setting GoalsAsking QuestionsAssigning MetricsPutting It All TogetherThe Metrics CatalogMore Security Uses for GQMMeasuring Security OperationsMeasuring Compliance to a Regulation or StandardMeasuring People and CultureApplying GQM to Your Own Security MeasurementsSummaryFurther Reading

3 Understanding Data
What Are Data?Definitions of DataData TypesData Sources for Security MetricsSystem DataProcess DataDocumentary DataPeople DataWe Have Metrics and Data—Now What?SummaryFurther Reading
Case Study 1: In Search of Enterprise Metrics
Scenario One: Our New Vulnerability Management ProgramScenario Two: Who’s on First?Scenario Three: The Value of a SlideScenario Four: The Monitoring ProgramScenario Five: What Cost, the Truth?Summary
Part II Implementing Security Metrics
4 The Security Process Management Framework
Managing Security as a Business ProcessDefining a Business ProcessSecurity ProcessesProcess Management over TimeThe SPM FrameworkSecurity MetricsSecurity Measurement ProjectsThe Security Improvement ProgramSecurity Process ManagementBefore You Begin SPMGetting Buy-in: Where’s the Forest?The Security Research ProgramSummaryFurther Reading
5 Analyzing Security Metrics Data
The Most Important StepReasons for AnalysisWhat Do You Want to Accomplish?Preparing for Data AnalysisAnalysis Tools and TechniquesDescriptive StatisticsInferential StatisticsOther Statistical TechniquesQualitative and Mixed Method AnalysisSummaryFurther Reading
6 Designing the Security Measurement Project
Before the Project BeginsProject PrerequisitesDeciding on a Project TypeTying Projects TogetherGetting Buy-in and ResourcesPhase One: Build a Project Plan and Assemble the TeamThe Project PlanThe Project TeamPhase Two: Gather the Metrics DataCollecting Metrics DataStoring and Protecting Metrics DataPhase Three: Analyze the Metrics Data and Build ConclusionsPhase Four: Present the ResultsTextual PresentationsVisual PresentationsDisseminating the ResultsPhase Five: Reuse the ResultsProject Management ToolsSummaryFurther Reading
Case Study 2: Normalizing Tool Data in a Security Posture Assessment
Background: Overview of the SPA ServiceSPA ToolsData StructuresObjectives of the Case StudyMethodologyChallengesSummary
PART III Exploring Security Measurement Projects
7 Measuring Security Operations
Sample Metrics for Security OperationsSample Measurement Projects for Security OperationsSMP: General Risk AssessmentSMP: Internal Vulnerability AssessmentSMP: Inferential AnalysisSummaryFurther Reading
8 Measuring Compliance and Conformance
The Challenges of Measuring ComplianceConfusion Among Related StandardsAuditing or Measuring?Confusion Across Multiple FrameworksSample Measurement Projects for Compliance and ConformanceCreating a Rationalized Common Control FrameworkMapping Assessments to Compliance FrameworksAnalyzing the Readability of Security Policy DocumentsSummaryFurther Reading
9 Measuring Security Cost and Value
Sample Measurement Projects for Compliance and ConformanceMeasuring the Likelihood of Reported Personally Identifiable Information (PII) DisclosuresMeasuring the Cost Benefits of Outsourcing a Security Incident Monitoring ProcessMeasuring the Cost of Security ProcessesThe Importance of Data to Measuring Cost and ValueSummaryFurther Reading
10 Measuring People, Organizations, and Culture
Sample Measurement Projects for People, Organizations, and CultureMeasuring the Security Orientation of Company StakeholdersAn Ethnography of Physical Security PracticesSummaryFurther Reading
Case Study 3: Web Application Vulnerabilities
Source Data and NormalizationOutcomes, Timelines, ResourcesInitial Reporting with “Dirty Data”Ambiguous DataDetermining Which Source to UseWorking with Stakeholders to Perform Data CleansingFollow-up with Reports and Discussions with StakeholdersLesson Learned: Fix the Process, and Then AutomateLesson Learned: Don’t Wait for Perfect Data Before ReportingSummary
PART IV Beyond Security Metrics
11 The Security Improvement Program
Moving from Projects to ProgramsManaging Security Measurement with a Security Improvement ProgramGovernance of Security MeasurementThe SIP: It’s Still about the DataRequirements for a SIPBefore You BeginDocumenting Your Security Measurement ProjectsSharing Your Security Measurement ResultsCollaborating Across Projects and Over TimeMeasuring the SIPSecurity Improvement Is Habit FormingIs the SIP Working?Is Security Improving?Case Study: A SIP for Insider Threat MeasurementSummaryFurther Reading
12 Learning Security: Different Contexts for Security Process Management
Organizational LearningThree Learning Styles for IT Security MetricsStandardized Testing: Measurement in ISO/IEC 27004The School of Life: Basili’s Experience FactoryMindfulness: Karl Weick and the High-Reliability OrganizationFinal ThoughtsSummaryFurther Reading
Case Study 4: Getting Management Buy-in for the Security Metrics Program
The CISO Hacked My ComputerWhat Is Buy-in?Corporations vs. Higher Ed: Who’s Crazier?Higher Education Case StudyProject OverviewThemesFindingsKey PointsInfluence and Organizational ChangeConclusion
Index

Overview

Implement an Effective Security Metrics Project or Program

IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. The book explains how to choose and design effective measurement strategies and addresses the data requirements of those strategies. The Security Process Management Framework is introduced and analytical strategies for security metrics data are discussed. You'll learn how to take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. Real-world examples of security measurement projects are included in this definitive guide.

Define security metrics as a manageable amount of usable data
Design effective security metrics
Understand quantitative and qualitative data, data sources, and collection and normalization methods
Implement a programmable approach to security using the Security Process Management Framework
Analyze security metrics data using quantitative and qualitative methods
Design a security measurement project for operational analysis of security metrics
Measure security operations, compliance, cost and value, and people, organizations, and culture
Manage groups of security measurement projects using the Security Improvement Program
Apply organizational learning methods to security metrics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Securing Office 365: Masterminding MDM and Compliance in the Cloud

Publisher Resources

ISBN: 9780071713405

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills