O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

427
Appendix G: Effect
of Weighting the
PRAGMATIC Criteria
Below, we compare the 30 top-scoring metrics, first unweighted (every rating
has the same weight), and then with the following weightings: Predictive, 25%;
Relevant, 20%; Actionable, 9%; Genuine, 3%; Meaningful, 5%; Accurate, 8%;
Timely, 7%; Independent, 3%; Cost, 20%.
Metric
Unweighted
Score Metric
Weighted
Score
Quality of security
metrics in use
91% Quality of security
metrics in use
93%
Number of orphaned
information assets
without an owner
91% Coverage of business
impact analyses
91%
Rate of messages
received at central
access logging/
alerting system
90% Security governance
maturity
90%
Coverage of business
impact analyses
89% Number of orphaned
information assets
without an owner
90%
Percentage of security
controls that may fail
silently
89% Security risk
management maturity
89%
428 ◾  Appendix G
Metric
Unweighted
Score Metric
Weighted
Score
Number of security
policies, standards,
procedures, and
metrics with
committed owners
88% Percentage of
business processes
having defined RTOs
and RPOs
89%
Power consumed by
the computer suite
versus air
conditioning capacity
88% Business continuity
management maturity
88%
Security governance
maturity
87% IT security maturity 88%
Business continuity
management maturity
86% Software security
maturity
88%
IT security maturity 86% Information security
incident management
maturity
88%
Software security
maturity
86% Information security
compliance
management maturity
88%
Information security
incident management
maturity
86% Information asset
management maturity
88%
Information security
compliance
management maturity
86% Human resources
security maturity
88%
Information asset
management maturity
86% Physical and
environmental
security maturity
88%
Human resources
security maturity
86% Percentage of security
controls that may fail
silently
88%
Physical and
environmental
security maturity
86% Rate of messages
received at central
access logging/
alerting system
88%
(continued)
Appendix G ◾  429
Metric
Unweighted
Score Metric
Weighted
Score
Security risk
management maturity
86% Information access
control maturity
88%
Breakdown of
exceptions and
exemptions
86% Security policy
management maturity
88%
Information access
control maturity
86% Information security
ascendency
87%

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required