O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

245
Chapter 8
Designing PRAGMATIC
Security Measurement
System
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Systems
approach
Lifecycle
Devoting sufficient time to establishing information security perfor-
mance measures is critical to deriving the maximum value from mea-
suring information security performance.
NIST SP800-55 revision 1 (NIST 2008)
246 ◾  PRAGMATIC Security Metrics
OK, we have somehow found the time to devote to security metrics. We have
walked through a structured process for specifying and scoring a single metric,
and we’ve practiced our skills on 150+ metrics examples. But how, exactly, do we
establish performance measures that will derive maximum value from information
security? We have a way to go yet.
In this chapter, we’ll be bringing the ingredients together as a coherent whole,
consciously selecting metrics that complement and support each other as elements
of an information security measurement system* with business value above and
beyond the accumulated value of the individual metrics.
8.1 Brief History of Information Security Metrics
Before we continue, we feel the need to remind ourselves of the context.
Prior to the 1980s, data security barely existed as a practice area, let alone a
professional field of endeavor outside of the military and intelligence agencies
where many of the still-current issues had been worked on since the mid-1960s.
Most of the commercial security effort back then went into managing user IDs
on mainframes, minis, and shared servers (apart from a swelling rank of hobbyist/
homebrewed machines, there were no personal computers). Access rights within
applications were generally binary (privileged or not). ere were few security prod-
ucts on sale other than security subsystems for the mainframe systems and consul-
tancy services. Backups were performed by backup operators. Business continuity
didnt seem to be much of an issue, and there were hardly any laws and regulations
concerning data security or privacy. Hackers were actively developing exciting new
technologies. ere was nothing much to measure, hence no security metrics.
IT security sprang up during the 1980s along with the market for security prod-
ucts, such as rudimentary firewalls (for corporations) and antivirus software (for
the exploding market in PCs). It was possible to make a living from security as a
result of growing demand from the financial services sector in particular. Hackers
were actively exploring networks and telephone systems. Introduction of the quality
assurance standard BS 5750 by British Standards in 1979
started to influence busi-
*
While it is tempting to use the abbreviation ISMS, we dont want to confuse you with informa-
tion security management systems.
Later becoming ISO 9000.
Tip: is is a challenging chapter. If your head is spinning already, take a
break at this point to let things sink in. Go back over your notes, maybe, and
carry on practicing the PRAGMATIC stuff. ere is no rush—it can wait.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required