O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

377
Appendix A:
PRAGMATIC Criteria
0% 33% 66%100%
Criterion
Rating Guide
0% 33% 66% 100%
PREDICTIVE The metric is
purely
historical and
backward-
looking with
no predictive
value
whatsoever.
Principally
historic but
gives some
vague
indication of
the future
direction,
such as weak
trends.
Definitely has
predictive
value, such as
strong trends,
but some
doubt and
apparently
random
variability
remains.
Highly
predictive,
unambiguously
indicative of
future
conditions with
very strong
cause-and-
effect linkages.
RELEVANT The metric is
totally
irrelevant to
information
security.
The metric
has marginal
relevance to
information
security with
narrow
application
or some
irrelevant
aspects.
The metric is
quite relevant
to information
security, but
there are a few
exceptions or
drawbacks.
The metric is
absolutely
relevant to
information
security.
378 ◾  Appendix A
0% 33% 66%100%
Criterion
Rating Guide
0% 33% 66% 100%
ACTIONABLE Recipients
have
absolutely no
idea what to
do with this
metric and so
would do
nothing at all.
The metric
vaguely hints
at what
needs to be
done and
might
prompt a
limited
response.
The metric
gives a very
good steer on
what needs to
be done and
would prompt
a suitable
response.
The metric is
prescriptive,
directly
actionable, and
would
definitely cause
an appropriate
response.
GENUINE The metric is
highly
misleading
and often
totally
spurious;
sometimes it
bears no
relation to the
truth; it is
incredible.
The metric
has elements
of the truth
but lacks
credibility: it
is dubious or
doubtful,
being based
on
unverifiable
assertions or
assumptions.
The metric is
reasonably
credible and is
supported by
verifiable
evidence or
facts in most
important
respects.
The metric is
entirely based
on verified facts
and is totally
credible:
nobody would
seriously
challenge it.
MEANINGFUL The metric is
completely
meaningless
and utterly
confusing to
all its
intended
recipients.
The metric is
somewhat
vague and
uncertain to
its intended
recipients; it
implies
rather than
states.
Most of the
intended
recipients can
figure out
quite easily
what the
metric means.
The metric is
highly
meaningful and
crystal clear to
its intended
recipients: it is
patently
obvious.
ACCURATE Random, any
resemblance
to the facts is
purely
coincidental.
Vaguely
accurate,
sometimes
wrong,
limited
precision.
Mostly
correct, rarely
wrong,
reasonably
precise.
Highly accurate
and precise,
always perfectly
correct.
Appendix A ◾  379
0% 33% 66%100%
Criterion
Rating Guide
0% 33% 66% 100%
TIMELY By the time
recipients
receive the
metric, it is far
too late for
them to do
anything
about it.
The metric
usually
arrives late,
limiting the
ability to
make use of
it.
The metric
usually arrives
in good time
but would be
of more use if
it came even
sooner.
Instant/
real-time
analysis and
reporting mean
the metric is
always bang up
to date and
immediately
usable.
INDEPENDENT With no
independence
whatsoever,
the metric is
highly likely to
be
manipulated
or falsified by
those
gathering/
analyzing the
data or
reporting it.
There is a
distinct
possibility
that
someone
might game
the system
or
deliberately
mislead
recipients by
manipulating
or falsifying
this metric.
There is a
slight
possibility that
the metric
might be
deliberately
manipulated,
but at least it
could be
independently
verified to
identify this
after the fact.
The metric is
based on
objective data
obtained totally
independently
of the subjects
of the
measurement.
COST The metric is
prohibitively
expensive to
measure. It
would have
negative net
value to the
organization.
The metric is
quite costly
but has some
net value to
the
organization.
The metric is
quite cheap to
measure and
has a positive
net value to
the
organization.
The metric is
essentially free
or has
tremendous
benefit and,
hence, is
invaluable to
the
organization.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required