30 ◾ PRAGMATIC Security Metrics
us resolve real-world situations that we face in information security management.
Call it applied science if you will, state of the art, perhaps.
In recent years, a number of organizations and individuals have expressed their
views and made suggestions on how information security can or should be mea-
sured. In this chapter, we consider their advice, comparing and contrasting their
approaches with the approach that we favor. If you are serious about security met-
rics, we encourage you to check out the cited references for yourself (if you haven’t
already) and draw your own conclusions. Although we are highlighting certain key
sources speciﬁcally in this chapter, we encourage you to look at the bibliography
toward the end of the book for further reading. You may not have the interest to
delve too deeply into the ﬁeld right now, but perhaps after ﬁnishing this book and
starting to apply the techniques we suggest, you will feel the need for additional
background and loftier expositions on security metrics.
3.1 Metrology, the Science of Measurement
Metrology, derived from the Greek word metron, is the science of measuring and
quantifying things. “Metricians” are the practitioners of metrology. In this book,
we are primarily concerned with one relatively narrow and speciﬁc form of applied
metrology: the practical application of theoretical measurement science in the real
world of information security. We also have an interest in the application of met-
rics to the much broader ﬁelds of business management, governance, and risk
management, although mostly in the areas where they intersect with information
We don’t intend to go into detail, but, brieﬂy, here are a few of the important
factors in metrology:
◾ Precision concerns the limit of details that can be measured and distinguished.
◾ Accuracy includes aspects such as repeatability.
◾ Integrity is a concern for the measurement data and the systems and processes
◾ Utility is about measuring things that matter.
You will ﬁnd distinct echoes of these considerations and more in the PRAGMATIC
3.2 Governance and Management Metrics
Metrics are primarily a decision support tool for management. Good metrics provide
useful, relevant information to help people—mostly, but not exclusively, manag-
ers—make decisions based on a combination of historical events (the context),