O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

51
Chapter 4
Audiences for
Security Metrics
PRAGMATIC
security metrics
Chapte r1
Introduction
Chapter 13
Conclusion
Chapte r2
Whymeasure ?
Chapter 12
Case study
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Internal
External
Chapter 3
Art and science
e quintessential group interaction is to break the large group into
smaller discussion groups. It forces the participants not only to think
about your message but also to connect and collaborate with others and
to apply the new information.
It also inherently increases the energy level!
Kristin Arnold
We will shortly go shopping for candidate information security metrics, but first, let’s
consider who we are shopping for. Who will need them? And, literally, who will pay
for them? It is important that we think through who the audiences for our metrics
52 ◾  PRAGMATIC Security Metrics
are because they are the customers, consumers, or users of the measurement data,
stakeholders in the information security measurement system, and as such, they have
requirements that, in due course, the system will ultimately be designed to satisfy.*
e mind map/diagram (Figure 4.1) outlines five distinct audience groups.
Notice that the audiences shown at the top and bottom of the diagram are
external to the organization, whereas the management and operations functions
shown in the middle are within it. We will talk about the insiders first.
4.1 Metrics Audiences Within the Organization
A great place to start the job of specifying information security metrics is to figure
out who does what in relation to information security within the organization.
is sets
the stage, clarifying what management information will be needed to support key deci-
sions. Unfortunately, security-related roles and responsibilities are not always entirely
obvious—they are not usually fully and explicitly documented in job descriptions and
dont necessarily reflect the formal organizational chart. It may therefore be prudent, as
part of the process of implementing information security metrics, to remedy this issue
by mapping out roles and responsibilities, delineating as unambiguously as possible who
is supposed to be “doing security.” Clarifying the accountabilities for the protection of
information assets, generally through the nomination of information asset owners, is
*
We will be exploring measurement systems in some depth in Chapter 8. It’s an important con-
cept, but, for now, let’s simply assume that we are trying to select security metrics individually
without much regard to the bigger picture.
We are, of course, blithely assuming that someone accepts responsibility to do the finding out!
Are you reading this book simply out of a genuine interest in the topic, or have you been asked
to sort out the security metrics? Either way, good luck!
Security
metrics
audiences
External
stakeholders
Senior management,
c-suite, board
Operations
Peers
Middle/junior
management
For strategic purposes,
governance, and assurance
For operational reasons, e.g., to
configure and manage security controls
For information security
management and process
improvement
Owners–for reassurance
Regulators and authorities–for
reassurance and compliance
For benchmarking comparison
and sharing good practices
Customers, local communities, and
society at large–for reassurance
Figure 4.1 Key audiences for information security metrics.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required