Art and scienc
To make an end is to make a beginning.
e end is where we start from.
T. S. Eliot
rough this book, we oﬀer what we hope is eminently practical guidance on a very
thorny topic, one that is all too often skirted or avoided by information security
professionals and business managers, the very people for whom useful information
security metrics would be a godsend. We have laid out a rational, step-by-step pro-
cess for locating, assessing, selecting, and using information security metrics that
form the building blocks for a coherent information security measurement system.
Fear not, the end is nigh. e time is fast approaching when you will ﬁnd your-
self using our advice in your particular situation, interpreting and adapting it to
suit your organization, its security status, the maturity of its ISMS, management’s
364 ◾ PRAGMATIC Security Metrics
information and decision support needs, and most of all exploiting opportunities
to develop and improve your information security metrics.
13.1 Take-Home Lessons from This Book
We’d like to leave you with some parting thoughts and suggestions on how to take
this new knowledge forward, starting with a recap of the main points we have done
our level best to bring to your attention.
13.1.1 On Pragmatism and Being PRAGMATIC
Even if you don’t entirely agree with the PRAGMATIC criteria and perhaps feel
that we have materially mis-scored the example metrics in Chapter 7, surely you
will at least acknowledge that the book has stimulated you to think more deeply
about security metrics. e same will hold true of your peers, managers, and col-
leagues. Go ahead; try it. When discussing security metrics, simply mention in
passing that you are selecting metrics with the best scores to see how it piques their
interest. We encourage you to use our approach to discuss, assess the quality of,
compare, and select security metrics. In other words, we have given you the tool
and, we hope, the conﬁdence to lift the lid on what has, until now, been a rather
nasty can of worms.
By the way, don’t feel compelled to design, develop, and implement the perfect
security measurement system all by yourself, nor all at once. With such diverse
audiences for security metrics, you honestly can’t go it alone. Furthermore, because
the approach we have described is literally systematic, it can and should be used to
drive incremental or evolutionary improvements.* Before you know it, you’ll ﬁnd
yourself sitting in or presiding over a periodic management meeting to review the
performance of your information security measurement system and, as far as we’re
concerned, that’s a job well done!
Notwithstanding previous publications in this ﬁeld, prior to this book, the
selection of information security metrics was largely a black art. For most organi-
zations, it was a hit-or-miss aﬀair. Some took the lead from information security
management standards, such as SP800-53 and ISO/IEC 27004, or developed a
more systematic approach based on approaches such as COBIT. Some informa-
tion security professionals simply kept their ears to the ground, picking up metrics
In the same way, the most valuable feature of an ISO27k ISMS is not a preordained set of
security controls designed by some erudite international committee of security experts, but
the governance framework for information security with which management can dynamically
determine the organization’s speciﬁc security needs and systematically improve the security
controls accordingly. Security metrics are an absolutely essential part of an eﬀective ISMS. e
two go very much hand in hand.