Does your organization have a meaningful, worthwhile suite of information secu-
rity measurements in place? No? Well then how exactly are you managing your
information security risks and controls? Let’s guess: a pinch of good practices, a
sprinkling of international standards, and a large measure of gut feel?!
Whereas most previous publications in this ﬁeld have been either academic or
narrow in scope, we have developed an eminently practical and rational approach
to selecting information metrics that work. At its heart, the PRAGMATIC method
is simply a tool to identify which of the thousands of possible security metrics
are actually worth adopting. at claim may seem trivial if you have not person-
ally struggled with this very issue, but trust us, it’s a Big Deal. Sifting the wheat
from the chaﬀ is never easy, but at least now we have a way to diﬀerentiate grains
from husks. Hitherto, they all looked much the same—a uniformly bland shade of
brown. PRAGMATIC security metrics appear in full glorious Technicolor
not merely 2D or 3D but 9D!
Writing this book was a surprisingly enjoyable labor. We came together seren-
dipitously at a Wellington hotel in New Zealand where both of us just happened to
be working on security metrics—Krag delivering a two-day metrics course, Gary
co-leading a one-day metrics workshop for the local ISACA chapter. We instantly
realized we had a lot in common, not least a sense of humor and a love of ﬁne red
wine that made our ﬁrst encounter a memorable experience. Our shared passion for
information security metrics and the belief that there has to be a better way drove us
together in the search for enlightenment.
Our decision to co-author this book was momentous, not least for the fact that
although Krag had already written books on information security governance and
metrics, the only book Gary had written was his PhD thesis—many moons ago,
and on microbial genetics at that!
At the time we agreed to collaborate, we had not invented PRAGMATIC. e
PRAGMATIC concept mysteriously emerged from our early discussions, initially
as a way to align our thoughts, but it soon became evident that we had chanced
upon something uniquely valuable. e process of evaluating, comparing between,
considering, and eventually choosing security metrics solved a vexatious problem