O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

321
Chapter 12
Case Study
PRAGMATIC
security metrics
Chapter 1
Introduction
Chapter 13
Conclusion
Chapter 2
Why measure?
Chapter 12
Case study
Chapter 3
Art and science
Chapter 11
Using metrics
Chapter 4
Audiences
Chapter 10
Downsides
Chapter 5
Finding metrics
Chapter 9
Advanced metrics
Chapter 6
PRAGMATIC
Chapter 8
Measurement
system
Chapter 7
Example metrics
Appendices
Acme
Example is the best precept.
Aesop
If, despite our best intentions, you find the rest of his book too theoretical, try this
chapter for size. Here, we illustrate the specification, selection, and use of secu-
rity metrics through a case study based on the hypothetical organization outlined
below. roughout this chapter, we refer to {example metrics} drawn from the pro-
totype metrics catalog at Appendix F. Refer back to Chapter 7 for additional infor-
mation on any that are not immediately obvious.
322 ◾  PRAGMATIC Security Metrics
12.1 The Context: Acme Enterprises, Inc.
For the purposes of this worked example, we envisage Acme Enterprises, Inc., a
midsized manufacturing company. e partial organizational structure chart in
Figure 12.1 represents some of Acme’s executives/senior managers (the C-suite),
the business units, departments or functions they manage, plus four external stake-
holder groups with varying interests in Acme.*
As mentioned in Section 3.3, a sound approach to specifying and designing
metrics is to determine who needs to know what, when in order to effectively dis-
charge their responsibilities. e organizational chart, to a large extent, answers
the first question about who needs information security metrics, but exploring
the security responsibilities in more detail tells us more about the what, if not the
when.
*
In reality, information security (and hence information security metrics) would be of wider
concern, but these audiences suffice to demonstrate the utility of the PRAGMATIC approach.
CEO
CISO
VP
Marketing
CIO
VP
Production
CFO
Finance IT
Information
security
Sales
Toronto
factory
Owners,
stockholders
Authorities,
industry regulators
Local
communities and
society at large
Customers,
suppliers, business
partners
Stakeholders
C-suite
Busines
s
units
Perth
factory
Figure 12.1 Partial organizational chart for Acme Enterprises, Inc.
Case Study ◾  323
12.2 Information Security Metrics for C-Suite
First, let’s examine the roles and responsibilities of the senior managers in Acme’s
C-suite.* Anyone making decisions rationally requires pertinent information,
including metrics. e responsibilities noted in the table below imply the nature of
the decisions being made and, hence, give us our first real clue about the informa-
tion and metrics needed.
Title
Key Strategic
Role
Main Corporate
Responsibilities
Information
Security
Responsibilities
Other
Important
Responsibilities
CEO Overall
corporate
strategic
direction
Aligning and
optimizing
resources,
stakeholder
liaison,
corporate
governance
Risk
management,
asset
protection,
exploiting
information
safely, ethics
Overall
leadership,
coordination
and motivation
CFO Financial and
commercial
strategies
Profitability:
value and
revenue
generation,
cost controls
Financial risk
management,
financial
controls
Regulatory
compliance,
financial
reporting
CIO Information
management
strategy
IT and
information
management,
systems and
data
architecture
IT/data security
controls,
technical
vulnerability
management
Technical
resilience and
IT disaster
recovery
CISO Information
security
strategy
Information
security
management
(and metrics!)
Information
security risk
management
and controls
(all aspects)
Privacy,
incident
management,
continuity
planning
*
In the interest of actually finishing this book, we are skipping right past the determination
of the organization structure and the responsibilities identified in the table. Although it begs
fascinating questions, we leave that as an exercise for the reader.
324 ◾  PRAGMATIC Security Metrics
VP
marketing
Competitive
strategy
Sales and
marketing,
research and
development,
distribution
and service,
competitor
analysis
Protection of
proprietary
knowledge
(especially
trade secrets),
competitive
intelligence
Customer
relations,
advertising and
promotions,
channels,
distribution,
pricing
VP
production
Manufac-
turing
strategy
Production
management,
manufacturing
Identifying and
protecting
critical
business
processes
mostly in the
factory
Supply chain
and supplier
relations, QA,
production
schedule,
efficiency
Let us assume, for the purposes of this case study, that Acme is currently review-
ing its business strategy. Let’s also assume the draft business strategy is expressed
coherently enough through the following paper for us to pick out the key elements,
particularly those of relevance to information security.
HIGHLY CONFIDENTIAL
ACME ENTERPRISES, INC.
DRAFT CORPORATE STRATEGY: 2012–2022
INTRODUCTION
Once a year, Acme’s senior management team meets offsite for a strategic
planning meeting to discuss and finalize this draft strategy. e draft is based
on the previous year’s strategy, incorporating a number of changes, most of

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required