O'Reilly logo

PRAGMATIC Security Metrics by W. Krag Brotby, Gary Hinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

483
Appendix L: Bibliography
Aside from providing sufficient information for you to locate reference sources spe-
cifically cited in the text, we recommend the following resources for further reading
on this topic.
Accenture (2009). How Global Organizations Approach the Challenge of Protecting Personal
Data. Survey conducted in 2008 by Ponemon Institute. www.accenture.com/
SiteCollectionDocuments/PDF/Accenture_DPP_Report_FINAL.pdf.
Barabanov, Rostyslav (2011). Information Security Metrics: State of the Art. DSV Report series
no. 11-007.
Berinato, Scott (2005). “A few good information security metrics.CSO Magazine. www
.csoonline.com/article/220462/a-few-good-information-security-metrics.
Brenot, Jean, Bonnefous, Sylviane, and Marris, Claire (1998). “Testing the cultural theory of
risk in France. Risk Analysis 18, no. 6.
Brotby, Krag (2009a). Information Security Management Metrics. CRC Press, Boca Raton, FL.
Brotby, Krag (2009b). Information Security Governance: A Practical Develop ment and
Implementation Approach. Wiley, New Jersey.
Cameron, Kim, and Quinn, Robert (1999). Diagnosing and Changing Organizational
Culture. Addison-Wesley, New Jersey.
Campbell, George K. (2006). Measures and Metrics in Corporate Security: Communicating
Business Value. e Security Executive Council, Marietta, GA.
CIS (2010). CIS Consensus Security Metrics. Center for Internet Security. benchmarks.cisecurity
.org/en-us/?route = downloads.browse.category.metrics.
Deloitte (2010). “e final act: Financial reporting implications of the Dodd–Frank Wall
Street Reform and Consumer Protection Act.Heads Up 17, no. 26.
GAO (1998). Measuring Performance and Demonstrating Results of Information Technology
Investments. United States General Accounting Office, Accounting and Information
Management Division. Executive Guide. www.gao.gov/assets/80/76378.pdf.
Gordon, Lawrence A., and Loeb, Martin P. (2006). Managing Cyber-security Resources: A
Cost-Benefit Analysis. McGraw-Hill, New York.
Hauser, John R., and Katz, Gerald M. (1998). Metrics: You Are What You Measure. www.mit
.edu/~hauser/Papers/Hauser-Katz Measure 04-98.pdf.
Hayden, Lance (2010). IT Security Metrics: A Practical Framework for Measuring Security and
Protecting Data. McGraw-Hill Osborne Media, New York.
484 ◾  Appendix L
Herrmann, Debra S. (2007). Complete Guide to Security and Privacy Metrics: Measuring
Regulatory Compliance, Operational Resilience and ROI. Auerbach Publications, Boca
Raton, FL.
Hinson, Gary (2006). “Seven Myths About Security Metrics.ISSA Journal, July.
Hubbard, Douglas (2010). How to Measure Anything: Finding the Value of Intangibles in
Business, Second edition. Wiley, New Jersey.
ISACA (2009). An Introduction to the Business Model for Information Security. ISACA.
ISACA (2010). Return on Security Investment. IT Audit and Assurance Guideline G41. www
.isaca.org/Knowledge-Center/Standards/Documents/G41-ROSI-5Feb10.pdf.
ISACA (2011). COBIT. ISACA.*
ISACA (2012). Certified Information Security Manager Review Manual 2012. ISACA.
ISO/IEC 27001 (2005). Information Technology—Security Techniques—Specification
for an Information Security Management System. International Organization for
Standardisation/International Electrotechnical Committee. Republished by many
national standards bodies.
ISO/IEC 27002 (2005). Information Technology—Security Techniques—Code of Practice for
Information Security Management. International Organization for Standardisation/
International Electrotechnical Committee. Republished by many national standards
bodies.
ISO/IEC 27004 (2009). Information Technology—Security Techniques—Information
Security Management—Measurement. International Organization for Standardisation/
International Electrotechnical Committee. Republished by many national standards
bodies.
ITGI (2005). Information Security Governance: Guidance for Boards of Directors and Executive
Management. IT Governance Institute.
ITGI (2006). Information Security Governance: Guidance for Boards of Directors and Executive
Management, Second edition. IT Governance Institute.
ITGI (2008a). Val IT Framework 2.0.
www.isaca.org/Knowledge-Center/Research/
ResearchDeliverables/Pages/Val-IT-Framework-2.0.aspx.
ITGI (2008b). Information Security Governance: Guidance for Information Security Managers.
IT Governance Institute.
Jaquith, Andrew (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-
Wesley, New Jersey.
Kahneman, D., Slovic, P., and Tversky, A. (1982). Judgment Under Uncertainty: Heuristics
and Biases. Cambridge University Press, New York.
Kaplan, Robert S., and Norton, David P. (1996). e Balanced Scorecard: Translating Strategy
into Action. Harvard Business School Press. Builds on their groundbreaking article in
the Harvard Business Review, Jan.–Feb. 1992.
Kiely, Laree, and Benzel, Terry (2006). “Systemic security management. Security & privacy.
IEEE 4, no. 6: 74–77.
Machiavelli, Nicolo (unpublished).
e Prince. A translation by W. K. Marriott in 2006 is
available in its entirety at www.gutenberg.org/files/ 1232/1232-h/1232-h.htm.
*
While at the time of writing COBIT 4.1 was the current release, COBIT 5 has since been
released.
COBIT 5 integrates Val IT, Risk IT, and BMIS into COBIT.
Although the original work was not published in Machiavellis lifetime (1469–1527), it was
plagiarized and circulated.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required