2 ◾ PRAGMATIC Security Metrics
not to mention a gazillion white papers, vital brieﬁngs, and urgent advisories.* And
to cap it all, Google ﬁnds us far more than we could ever hope to read on any topic
we care to mention, no matter how obscure, in milliseconds. Contrary to popular
opinion, we are not thriving in the midst of an information revolution but drown-
ing under a data tsunami.
1.1 Why Have We Written This Book?
No profession has ever achieved status and creditability prior to developing eﬀective
metrics showing cause and eﬀect, providing reliable prognostication, and delivering
the information needed by various parts of the organization to make informed deci-
sions. Information security is no diﬀerent. While practitioners frequently lament
the profession’s lack of standing with business executives, we continue to fail to
provide credible answers to essential questions and reliable evidence for the value
of our craft. Most of us only provide management with obscure technical measures
that do little to provide needed answers, actionable information, or comfort, let
e reality is that we supply mostly technical metrics to management because
they are easy and cheap to collect and perhaps a few others by edict. More than one
honest security guy has also confessed to generating
metrics purely to support bud-
get requests or to give the appearance of being in control. Very few organizations
genuinely attempt to manage their information security by the numbers except
perhaps in speciﬁc and rather limited situations. Gut feeling, conjecture, and guess-
work rule the ﬁeld, representing a rather risky, perhaps even cavalier, approach to
the management of information security risks. Is it any wonder, then, that serious
information security and privacy incidents are all over the news? at otherwise
sound businesses go to the wall when hit by “unanticipated” disasters? at unfor-
tunate patients are overdosed and injured by software-controlled x-ray machines
that were meant to cure their ills?
is state is not entirely of our own making, nor are we alone in this: practitio-
ners in other ﬁelds, such as risk management, compliance, governance, and many
more, also struggle to answer straightforward questions from stakeholders. We may
We are very conscious that we are adding to your burden by publishing this book. We appreci-
ate that we must compete with all those other demands on your valuable time. We know you
are busy and, to be frank, so are we—so much so that it has been tough to clear the space in
our diaries to write these words. What kept us going was our overwhelming passion for infor-
mation security metrics and the thought that maybe, just maybe, we have something important
to say. See what you think.
Note: We said “generating,” not “measuring”! Security metrics should surely reduce, not
increase, the level of FUD (fear, uncertainty, and doubt)—a point raised by Jaquith (2007)
and covered further in Chapter 10.