O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

13
Chapter 2
Why Measure
Information Security?
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement system
Chapter 7
Example metrics
Appendices
Answering
question
s
Strategy,
mgmt, ops
Complianc
e
For profi
t
Every CSO should have half a dozen dials to watch on a regular basis.
ese indicators could be “survival metrics,” the hot buttons on a dash-
board you are expected to address that monitor the wellness of your
organization or an issue of particular concern to management.
George K. Campbell (2006)
Given that so many organizations evidently cope without much in the way of infor-
mation security metrics, it seems reasonable to explore the reasons why we believe
measuring information security is worthwhile although not absolutely essential.
14 ◾  PRAGMATIC Security Metrics
Good practices may, in fact, suffice in some circumstances, but a one-size-fits-all
approach will never be optimal and inevitably will result in overprotection of some
assets and under-protection of others.
From our experience, we believe there is a genuine and increasingly urgent need
for viable metrics in information security. While, to date, the profession has gener-
ally muddled through with almost no rational, sound, and defensible security mea-
surements, the situation is simply not sustainable over the long term. We are fast
approaching and, in some cases, already exceeding the limits of the information
security manager’s gut feeling, qualifications, and experience, coupled with the use
of ill-defined and generic good or so-called best practices, as a basis for extremely
important security and risk management decisions. While not so common these
days, there are still those who contend that as long as you implement best prac-
tices, you dont need extensive metrics. However, best practices are an inadequate
substitute for genuine knowledge. What may be best in one organization may be
too costly and excessive in another or, in some cases, wholly inadequate. Without
metrics, how would you ever know?*
Improving information security is becoming ever harder given that we have
already, to a fair degree, harvested the low-hanging fruit. And, unfortunately, as
our rate of improvement declines, there are clear signs that organized criminals,
hackers, saboteurs, industrial spies, fraudsters, malware authors, and terrorists are
gaining the upper hand, perceptibly raising the stakes. It is not far off the mark to
suggest that the profession is in, or is fast approaching, a crisis of confidence. We’re
winning occasional battles but losing the war. When experienced security profes-
sionals turn from being just ordinarily pessimistic and risk-averse to jaundiced and
cynical and retiring or leaving the profession for less stressful occupations, is it any
wonder that business managers and stakeholders begin to lose faith in our abilities?
e bulk of this chapter consists of a string of rhetorical questions or issues that
raise their ugly heads in some form in most organizations at some point. Count
yourself lucky if you havent been asked them yet: it’s just a matter of time.
e points that follow would form the basis on which one might justify the
investment needed to specify, design, and use an information security measure-
ment system, leading to (we hope) a convincing business case for such a system and,
potentially, justifications supporting at least the initial suite of security metrics that
populate it. Dont fret: we will discuss the measurement system, the selection of
metrics, and all that in later chapters, but let’s start by considering the fundamental
requirement for security metrics.
*
We hear, “You cant manage what you cant measure” quite often. It’s an old saw. e phrase
has a ring of truth to it, but actually we do manage unmeasured things all the time, just not
particularly well! We contend that a lot of information security managers have been struggling
to manage information security with inadequate measures because they had no alternative
until now.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required