O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

xi
Foreword
Information assurance (IA) has suffered for decades from the lack of sound quan-
titative methods for coping with risk and evaluating alternative strategies for allo-
cating resources wisely in the fight against errors and attacks on our information
systems.
All of us involved in IA maneuver through competing frameworks for choosing
and implementing defenses; unfortunately, all too often we rely on the equivalent
of word-of-mouth recommendationsindustry best practices—in choosing par-
ticular paths. As our field matures, we must learn from other professions where
methods for evaluating the quality of approaches have shifted from purely intuitive
approaches to more systematic and repeatable methods.
e authors of this book have contributed their experience and creativity to
present a valuable methodology for creating and evaluating elements of security
management. roughout the work, they emphasize how important it is to use
heuristics rather than rigid rules in any field that changes constantly.
Security of all kinds suffers from the fundamental difficulty that if security
measures work, there’s less evidence that the measures were necessary, at least for
non-professional observers such as non-technical managers. Without sound metrics,
we are in the position of passersby who encounter a man swinging plucked chickens
around his head while he stands on a street corner: asked why he is doing that, he
answers, “To keep the flying elephants away.” “But there are no flying elephants,
respond the befuddled observers. He crows triumphantly, “See? It works!
Without defining, testing, and refining metrics, our profession will continue
to be subject to the legitimate question, “How do you know?” How do we know
if our proposalsour proposed spending, our proposed topology, our proposed
changes—are reasonable? Why do we choose one set of responses over another?
And how will we measure the results of our methods to evaluate their effectiveness
and their efficiency?
In addition to supporting the development of IA, the methods presented in this
text will reach professionals in fields that will benefit from good, PRAGMATIC
metrics.
xii ◾  Foreword
anks to W. Krag Brotby and Gary Hinson, I expect to see dramatic changes
in our ability to analyze our security options, explain our choices, and measure our
results.
M. E. Kabay, PhD, CISSP-ISSMP
Professor of Computer Information Systems
School of Business Management
Norwich University, Northfield, Vermont

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required