246 ◾ PRAGMATIC Security Metrics
OK, we have somehow found the time to devote to security metrics. We have
walked through a structured process for specifying and scoring a single metric,
and we’ve practiced our skills on 150+ metrics examples. But how, exactly, do we
establish performance measures that will derive maximum value from information
security? We have a way to go yet.
In this chapter, we’ll be bringing the ingredients together as a coherent whole,
consciously selecting metrics that complement and support each other as elements
of an information security measurement system* with business value above and
beyond the accumulated value of the individual metrics.
8.1 Brief History of Information Security Metrics
Before we continue, we feel the need to remind ourselves of the context.
Prior to the 1980s, data security barely existed as a practice area, let alone a
professional ﬁeld of endeavor outside of the military and intelligence agencies
where many of the still-current issues had been worked on since the mid-1960s.
Most of the commercial security eﬀort back then went into managing user IDs
on mainframes, minis, and shared servers (apart from a swelling rank of hobbyist/
homebrewed machines, there were no personal computers). Access rights within
applications were generally binary (privileged or not). ere were few security prod-
ucts on sale other than security subsystems for the mainframe systems and consul-
tancy services. Backups were performed by backup operators. Business continuity
didn’t seem to be much of an issue, and there were hardly any laws and regulations
concerning data security or privacy. Hackers were actively developing exciting new
technologies. ere was nothing much to measure, hence no security metrics.
IT security sprang up during the 1980s along with the market for security prod-
ucts, such as rudimentary ﬁrewalls (for corporations) and antivirus software (for
the exploding market in PCs). It was possible to make a living from security as a
result of growing demand from the ﬁnancial services sector in particular. Hackers
were actively exploring networks and telephone systems. Introduction of the quality
assurance standard BS 5750 by British Standards in 1979
started to inﬂuence busi-
While it is tempting to use the abbreviation ISMS, we don’t want to confuse you with informa-
tion security management systems.
Later becoming ISO 9000.
Tip: is is a challenging chapter. If your head is spinning already, take a
break at this point to let things sink in. Go back over your notes, maybe, and
carry on practicing the PRAGMATIC stuﬀ. ere is no rush—it can wait.