Chapter 13

Information Security Metrics

Abstract

In this chapter, the authors discuss information security metrics and how they relate to risk. The authors begin with a discussion of the current state of metrics and what the goal state should look like. A review of the goals, metrics, question (QGM) approach to defining metrics is offered, and a list of sample metrics is offered and reviewed. The authors also review visibility metrics, and how to acquire data to support those metrics. Loss exposure is discussed, as well as its importance to the overall metrics program. Variability metrics are discussed and their prominence as an important part of the overall metrics program is given.

Keywords

Execution; KPI; KRI; Metrics; Variability; Visibility

Get Measuring and Managing Information Risk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.