O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

1
Chapter 1
Introduction
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Backgroun
d
Authors
Terms
When a group of business executives was asked what value they found
in the security reports they received, the consistent answer was “not
much.”
Mathew Schwartz
is quotation from Mathew Schwartz rings a big bell for us. On a good day, we
suspect we are gradually becoming submerged in a vast sea of data, struggling to
find any useful pieces of information to cling to. On a bad day, we know we’re
already too late, and the weak signals we’re hunting for are lost forever in the noise.
We have to deal not only with memos and reports from our esteemed colleagues,
but with an endless stream of emails, phone calls, blogs, Tweets, and more. In the
security arena, it seems as if there’s another security survey published every week,
2 ◾  PRAGMATIC Security Metrics
not to mention a gazillion white papers, vital briefings, and urgent advisories.* And
to cap it all, Google finds us far more than we could ever hope to read on any topic
we care to mention, no matter how obscure, in milliseconds. Contrary to popular
opinion, we are not thriving in the midst of an information revolution but drown-
ing under a data tsunami.
1.1 Why Have We Written This Book?
No profession has ever achieved status and creditability prior to developing effective
metrics showing cause and effect, providing reliable prognostication, and delivering
the information needed by various parts of the organization to make informed deci-
sions. Information security is no different. While practitioners frequently lament
the professions lack of standing with business executives, we continue to fail to
provide credible answers to essential questions and reliable evidence for the value
of our craft. Most of us only provide management with obscure technical measures
that do little to provide needed answers, actionable information, or comfort, let
alone assurance.
e reality is that we supply mostly technical metrics to management because
they are easy and cheap to collect and perhaps a few others by edict. More than one
honest security guy has also confessed to generating
metrics purely to support bud-
get requests or to give the appearance of being in control. Very few organizations
genuinely attempt to manage their information security by the numbers except
perhaps in specific and rather limited situations. Gut feeling, conjecture, and guess-
work rule the field, representing a rather risky, perhaps even cavalier, approach to
the management of information security risks. Is it any wonder, then, that serious
information security and privacy incidents are all over the news? at otherwise
sound businesses go to the wall when hit by “unanticipated” disasters? at unfor-
tunate patients are overdosed and injured by software-controlled x-ray machines
that were meant to cure their ills?
is state is not entirely of our own making, nor are we alone in this: practitio-
ners in other fields, such as risk management, compliance, governance, and many
more, also struggle to answer straightforward questions from stakeholders. We may
*
We are very conscious that we are adding to your burden by publishing this book. We appreci-
ate that we must compete with all those other demands on your valuable time. We know you
are busy and, to be frank, so are weso much so that it has been tough to clear the space in
our diaries to write these words. What kept us going was our overwhelming passion for infor-
mation security metrics and the thought that maybe, just maybe, we have something important
to say. See what you think.
Note: We said “generating,” not “measuring”! Security metrics should surely reduce, not
increase, the level of FUD (fear, uncertainty, and doubt)—a point raised by Jaquith (2007)
and covered further in Chapter 10.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required