O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

29
Chapter 3
The Art and Science
of Security Metrics
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Types
References
SMD
IT metrics are like art. No one can seem to agree on what constitutes a
good metric, but everyone seems to know one when they see it.
Ann All
Security metrics is an evolving field of study, involving a combination of purely
scientific and not-so-purely scientific approaches as the academics and practitioners
feed off each other. While we appreciate the value of the scientific and mathemati-
cal principles, theories, and models that underpin metrics and measurements, our
particular contribution in writing this book lies far more on the practical side of
the fence. We study metrics not for the sake of science, but because they can help
30 ◾  PRAGMATIC Security Metrics
us resolve real-world situations that we face in information security management.
Call it applied science if you will, state of the art, perhaps.
In recent years, a number of organizations and individuals have expressed their
views and made suggestions on how information security can or should be mea-
sured. In this chapter, we consider their advice, comparing and contrasting their
approaches with the approach that we favor. If you are serious about security met-
rics, we encourage you to check out the cited references for yourself (if you haven’t
already) and draw your own conclusions. Although we are highlighting certain key
sources specifically in this chapter, we encourage you to look at the bibliography
toward the end of the book for further reading. You may not have the interest to
delve too deeply into the field right now, but perhaps after finishing this book and
starting to apply the techniques we suggest, you will feel the need for additional
background and loftier expositions on security metrics.
3.1 Metrology, the Science of Measurement
Metrology, derived from the Greek word metron, is the science of measuring and
quantifying things. “Metricians” are the practitioners of metrology. In this book,
we are primarily concerned with one relatively narrow and specific form of applied
metrology: the practical application of theoretical measurement science in the real
world of information security. We also have an interest in the application of met-
rics to the much broader fields of business management, governance, and risk
management, although mostly in the areas where they intersect with information
security.
We dont intend to go into detail, but, briefly, here are a few of the important
factors in metrology:
Precision concerns the limit of details that can be measured and distinguished.
Accuracy includes aspects such as repeatability.
Integrity is a concern for the measurement data and the systems and processes
of measurement.
Utility is about measuring things that matter.
You will find distinct echoes of these considerations and more in the PRAGMATIC
method.
3.2 Governance and Management Metrics
Metrics are primarily a decision support tool for management. Good metrics provide
useful, relevant information to help people—mostly, but not exclusively, manag-
ers—make decisions based on a combination of historical events (the context),

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required