O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

xiii
Preface
Does your organization have a meaningful, worthwhile suite of information secu-
rity measurements in place? No? Well then how exactly are you managing your
information security risks and controls? Let’s guess: a pinch of good practices, a
sprinkling of international standards, and a large measure of gut feel?!
Whereas most previous publications in this field have been either academic or
narrow in scope, we have developed an eminently practical and rational approach
to selecting information metrics that work. At its heart, the PRAGMATIC method
is simply a tool to identify which of the thousands of possible security metrics
are actually worth adopting. at claim may seem trivial if you have not person-
ally struggled with this very issue, but trust us, it’s a Big Deal. Sifting the wheat
from the chaff is never easy, but at least now we have a way to differentiate grains
from husks. Hitherto, they all looked much the same—a uniformly bland shade of
brown. PRAGMATIC security metrics appear in full glorious Technicolor
, and
not merely 2D or 3D but 9D!
Writing this book was a surprisingly enjoyable labor. We came together seren-
dipitously at a Wellington hotel in New Zealand where both of us just happened to
be working on security metricsKrag delivering a two-day metrics course, Gary
co-leading a one-day metrics workshop for the local ISACA chapter. We instantly
realized we had a lot in common, not least a sense of humor and a love of ne red
wine that made our first encounter a memorable experience. Our shared passion for
information security metrics and the belief that there has to be a better way drove us
together in the search for enlightenment.
Our decision to co-author this book was momentous, not least for the fact that
although Krag had already written books on information security governance and
metrics, the only book Gary had written was his PhD thesis—many moons ago,
and on microbial genetics at that!
At the time we agreed to collaborate, we had not invented PRAGMATIC. e
PRAGMATIC concept mysteriously emerged from our early discussions, initially
as a way to align our thoughts, but it soon became evident that we had chanced
upon something uniquely valuable. e process of evaluating, comparing between,
considering, and eventually choosing security metrics solved a vexatious problem
xiv ◾  Preface
affecting practically everyone who gets into security metrics. Simply stated, we
stumbled on the way to answer the deceptively simple/naïve question, “What should
we measure?,” and that answer, in turn, opened up entirely new horizons. Many
previously intractable information security management problems become solvable
through PRAGMATIC metrics, or rather through the availability of meaningful,
factual data on which to base important decisions.
Aside from information security, we are intrigued at the prospect of using the
PRAGMATIC approach to develop and select worthwhile metrics in different fields
of management—not just closely allied areas such as governance, risk management,
and compliance but almost anything in fact. If you are an expert in sports manage-
ment, financial management, HR management, engineering management, strate-
gic management, or some other specialty who is inspired by this book to develop
PRAGMATIC metrics in your context, please do get in touch with the authors
through www.SecurityMetametrics.com. We’d love to work with you on this.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required