O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

115
Chapter 7
150+ Example
Security Metrics
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Risk management
Security policy
Governance
Asset management
HR security
Physical security
IT security
Access control
Software security
Incident mgmt
Business continuity
Compliance
Mr. Jaggers suddenly became most irate. “Now, I warned you before,
said he, throwing his forefinger at the terrified client, “that if you ever
presumed to talk in that way here, I’d make an example of you. You
infernal scoundrel, how dare you tell me that?”
Charles Dickens, Great Expectations
116 ◾  PRAGMATIC Security Metrics
We move on now to demonstrate the PRAGMATIC method by using it to score a
selection of candidate information security metrics. e approach we have taken in
this chapter is to do the following:
Identify approximately 150 information security metrics that might be under
consideration to support a broad swathe of information security-related
decisions*
Group, classify, or structure the metrics to help us make sense of them
Rate the metrics against the nine PRAGMATIC criteria (Appendix B) using
the method described in Chapter 6, generating an overall PRAGMATIC
score and a set of accompanying notes for each metric
Discuss the metrics and their ratings, pointing out the factors or reasoning
that led us to rate them thus against the PRAGMATIC criteria making up
their scores
Just as with the security metrics themselves, the PRAGMATIC approach is
context sensitive; in other words, the scoring criteria may be interpreted differently
under various circumstances. For the purposes of the examples in this chapter,
we have assumed the evaluation of potential information security metrics is tak-
ing place in the context of a generic midsized commercial organization that has a
relatively immature information security management system (probably not certi-
fied compliant with ISO/IEC 27001, but perhaps working toward that goal). e
scores will differ, perhaps materially, in other organizations and business contexts,
including your own, so by all means, disagree with the ratings and scores we have
determined as you consider the examples in relation to your own business and
security circumstances.
To structure the discussion, we chose to group or categorize the example met-
rics in line with ISO/IEC 27002:2005 for two main reasons. First, the ISO27k
standards are well respected and well known globally, so the structure should be
at least broadly familiar to most readers. Second, while the categorization of some
controls and metrics is somewhat arbitrary, the ISO27k standards are reasonably
*
e list is not intended to be comprehensive, exhaustive, or definitive: these are merely example
metrics, a way to illustrate PRAGMATIC scoring. e high-scoring example metrics may not
be relevant or applicable to your circumstances and needs, and you will almost certainly need
to adapt or adopt others. Some were chosen specifically for their very low PRAGMATIC scores
in the hypothetical scenario but may score much better in your situation.
Tip: e point is not to derive exactly the same ratings and scores as we do
but to try out the PRAGMATIC method and see how it works for you in
your situation.
150+ Example Security Metrics ◾  117
Tip: e PRAGMATIC scoring tables in this chapter are static snapshots
from a spreadsheet we created, use, and maintain. e spreadsheet does the
calculations for us and allows us to sort the metrics easily according to their
PRAGMATIC scores or individual ratings. We can also weight the criteria if
we wish to place more or less emphasis on certain ratings. Obviously, it’s a lot
easier to fiddle around with the numbers in a spreadsheet than to do the cal-
culations and sorting manually. Although you can probably create your own
spreadsheet easily enough from scratch, if you intend to work through these
examples assigning your own ratings, or rating and scoring your information
security metrics, you are very welcome to download ours as a starting point:
visit www.SecurityMetametrics.com for details.
ISO/IEC
27002
4. Risk
management
5. Policy
6. Organization
7. Asset
management
8. HR
security
9. Physical and
environmental
10. Comms and
Ops management
11. Access
control
12. Software
development
13. Incident
management
14. Business
continuity
15. Compliance
Inventory
Classification
Ownership
Joiners
Leavers
Physical
Network
Systems
Applications
Functions
Data
Awareness,
training and
education
Movers
Principles and axioms
Policies
Standards
Guidelines and
procedures
Requirements
Design
Develop or
acquire
Test
Implement
Maintain and
support
Risk assessment
Risk analysis
Risk mitigation
Structure
Reporting
Liaison
Physical access
Power
Air conditioning
Fire and water
Resilience
Disaster recovery
Backups
Archives
Configs
Monitoring
Logging and
alerting
Patching
Prepare
Identify
React
Manage and
contain
Resolve
Learn
Audit
Policies
Laws and
regulations
ird parties
Figure 7.1 ISO/IEC 27002:2005 structure.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required