76 ◾ PRAGMATIC Security Metrics
It is curious that so little has been said on what we feel is such an extremely
important topic. Sure, there are some rather academic reasons why the accountants
might prefer net present value over payback period when assessing the projected
value of security investments, but in practical terms and in some situations, pay-
back period may have redeeming qualities that make it the more valuable security
metric. Other security metrics books belabor the diﬀerences between ordinal and
cardinal numbers or metrics, measurements, and measures, but few information
security practitioners truly understand or even care much about such arcane details,
valid as they are. We simply need relevant, useful information in order to manage
and deliver adequate information security while our managers and other stakehold-
ers are clamoring for assurance that we have things under control.
e bottom line is that very few organizations today would claim to have eﬀec-
tive and comprehensive information security metrics. Security metrics are arguably
the capstone for an information security management system,* the ﬁnal piece of the
puzzle that locks all the others ﬁrmly in place.
Absent good information security metrics, we are ﬂying blind.
We deﬁne metametrics,
like metadata, as information about metrics, including
metrics about metrics (e.g., “number of metrics supporting the information security
management system” qualiﬁes as a metametric). Metametrics include descriptions
of metrics (e.g., most metrics catalogs consist of records for each metric containing
ﬁelds such as scope, purpose, parameters, sources, and calculations: these are all
metametrics). In exactly the same way that information security metrics are used to
measure, manage, and improve the security controls and, hence, the security man-
agement system, metametrics help us measure, manage, and improve our metrics
and, hence, the measurement system.
Metametrics are used
◾ As indicators of the relative worth or value of each metric when considering
various options and choosing the best metrics for the measurement system
(see Chapter 8)
Even ISO/IEC JTC1/SC27, the international committee of highly experienced, competent,
and well-respected information security experts responsible for the ISO27k standards, strug-
gles with security metrics. Just look at ISO/IEC 27004 to see what we mean! It’s all very well
in theory, but how do we actually use it?
Stefani and Xenos (2009) used the term “metametric” in relation to choosing good eCom-
merce metrics, noting “Meta-metrics represent diﬀerent aspects of the measurement procedure
like automation, measurement issues and reliability of provided measures.” We have simply
contracted the term.