322 ◾ PRAGMATIC Security Metrics
12.1 The Context: Acme Enterprises, Inc.
For the purposes of this worked example, we envisage Acme Enterprises, Inc., a
midsized manufacturing company. e partial organizational structure chart in
Figure 12.1 represents some of Acme’s executives/senior managers (the C-suite),
the business units, departments or functions they manage, plus four external stake-
holder groups with varying interests in Acme.*
As mentioned in Section 3.3, a sound approach to specifying and designing
metrics is to determine who needs to know what, when in order to eﬀectively dis-
charge their responsibilities. e organizational chart, to a large extent, answers
the ﬁrst question about who needs information security metrics, but exploring
the security responsibilities in more detail tells us more about the what, if not the
In reality, information security (and hence information security metrics) would be of wider
concern, but these audiences suﬃce to demonstrate the utility of the PRAGMATIC approach.
society at large
Figure 12.1 Partial organizational chart for Acme Enterprises, Inc.