O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

59
Chapter 5
Finding Candidate Metrics
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Sources
Catalogs
Roll-your-own
What gets measured gets done, what gets measured and fed back gets
done well, what gets rewarded gets repeated.
John E. Jones
A few pages ago, we mentioned there is no shortage of things that could be mea-
sured in relation to information security. Anything that changes can be measured
both in terms of the amount and the rate of change and possibly in other dimen-
sions as well. Given the dynamic and complex nature of information security, there
are a great number of things we could measure. As this chapter will soon show, it’s
really not hard to come up with a long list of potential security metrics, all candi-
dates for our information security measurement system.
60 ◾  PRAGMATIC Security Metrics
For our purposes, the trick will be to find those things that both (1) relate in
a reasonably consistent manner to information security, preferably in a forward-
looking manner, and (2) are relevant to someone in the course of doing his or her
job, in other words, they have purpose and utility for security management. We
will tackle that issue shortly through the PRAGMATIC approach, but first, in
order to help you identify candidate information security metrics that are right for
your situation, this chapter offers some advice on where to go looking for inspira-
tion. Along the way, we are deliberately going to lead you astray from the well-
beaten path to explore the ways other fields, besides information security and IT,
choose and use metrics.
5.1 Preexisting/Current Information Security Metrics
Very few information security managers ever have the luxury* of a green-field
opportunity to implement the perfect set of information security metrics com-
pletely from scratch. Especially if you are relatively new at this game and your
organization has been into information or IT security for some while, your existing
security metrics may be a little lackluster or thin on the ground. ere’s no shame
whatsoever in that: you have probably bought this book in order to improve your
security metrics. You might not have been involved when the current crop of secu-
rity metrics were first developed—it’s quite common, in fact, to find that some data
are routinely collected, processed, and reported, although nobody can recall exactly
why! Nevertheless, your existing security metrics do provide a platform, a starting
point, and some of them may well feature in due course in your more mature infor-
mation security measurement system.
is book provides the tools to evaluate your existing security metrics to deter-
mine which of them are truly valuable enough to be worth keeping. Retiring secu-
rity metrics that are no longer deemed sufficiently valuable will cut costs directly
and bring other indirect benefits, such as simplifying management reports, making
them more focused and less “noisy.
*
Would it truly be a luxury or a challenge? Discuss.
Tip: “Well-instrumented systems monitor and measure only those elements
that are useful or essential to the required management tasks. Assuming a
determination has been made of critical activities and the potential for serious
impacts and tolerance for risk, then the issue of effectiveness must be con-
sidered in terms of the necessity for certain specific types of information
(Brotby 2009a).

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required