364 ◾ PRAGMATIC Security Metrics
information and decision support needs, and most of all exploiting opportunities
to develop and improve your information security metrics.
13.1 Take-Home Lessons from This Book
We’d like to leave you with some parting thoughts and suggestions on how to take
this new knowledge forward, starting with a recap of the main points we have done
our level best to bring to your attention.
13.1.1 On Pragmatism and Being PRAGMATIC
Even if you don’t entirely agree with the PRAGMATIC criteria and perhaps feel
that we have materially mis-scored the example metrics in Chapter 7, surely you
will at least acknowledge that the book has stimulated you to think more deeply
about security metrics. e same will hold true of your peers, managers, and col-
leagues. Go ahead; try it. When discussing security metrics, simply mention in
passing that you are selecting metrics with the best scores to see how it piques their
interest. We encourage you to use our approach to discuss, assess the quality of,
compare, and select security metrics. In other words, we have given you the tool
and, we hope, the conﬁdence to lift the lid on what has, until now, been a rather
nasty can of worms.
By the way, don’t feel compelled to design, develop, and implement the perfect
security measurement system all by yourself, nor all at once. With such diverse
audiences for security metrics, you honestly can’t go it alone. Furthermore, because
the approach we have described is literally systematic, it can and should be used to
drive incremental or evolutionary improvements.* Before you know it, you’ll ﬁnd
yourself sitting in or presiding over a periodic management meeting to review the
performance of your information security measurement system and, as far as we’re
concerned, that’s a job well done!
Notwithstanding previous publications in this ﬁeld, prior to this book, the
selection of information security metrics was largely a black art. For most organi-
zations, it was a hit-or-miss aﬀair. Some took the lead from information security
management standards, such as SP800-53 and ISO/IEC 27004, or developed a
more systematic approach based on approaches such as COBIT. Some informa-
tion security professionals simply kept their ears to the ground, picking up metrics
In the same way, the most valuable feature of an ISO27k ISMS is not a preordained set of
security controls designed by some erudite international committee of security experts, but
the governance framework for information security with which management can dynamically
determine the organization’s speciﬁc security needs and systematically improve the security
controls accordingly. Security metrics are an absolutely essential part of an eﬀective ISMS. e
two go very much hand in hand.