Information assurance (IA) has suﬀered for decades from the lack of sound quan-
titative methods for coping with risk and evaluating alternative strategies for allo-
cating resources wisely in the ﬁght against errors and attacks on our information
All of us involved in IA maneuver through competing frameworks for choosing
and implementing defenses; unfortunately, all too often we rely on the equivalent
of word-of-mouth recommendations—industry best practices—in choosing par-
ticular paths. As our ﬁeld matures, we must learn from other professions where
methods for evaluating the quality of approaches have shifted from purely intuitive
approaches to more systematic and repeatable methods.
e authors of this book have contributed their experience and creativity to
present a valuable methodology for creating and evaluating elements of security
management. roughout the work, they emphasize how important it is to use
heuristics rather than rigid rules in any ﬁeld that changes constantly.
Security of all kinds suﬀers from the fundamental diﬃculty that if security
measures work, there’s less evidence that the measures were necessary, at least for
non-professional observers such as non-technical managers. Without sound metrics,
we are in the position of passersby who encounter a man swinging plucked chickens
around his head while he stands on a street corner: asked why he is doing that, he
answers, “To keep the ﬂying elephants away.” “But there are no ﬂying elephants,”
respond the befuddled observers. He crows triumphantly, “See? It works!”
Without deﬁning, testing, and reﬁning metrics, our profession will continue
to be subject to the legitimate question, “How do you know?” How do we know
if our proposals—our proposed spending, our proposed topology, our proposed
changes—are reasonable? Why do we choose one set of responses over another?
And how will we measure the results of our methods to evaluate their eﬀectiveness
and their eﬃciency?
In addition to supporting the development of IA, the methods presented in this
text will reach professionals in ﬁelds that will beneﬁt from good, PRAGMATIC