“It takes more than understanding the problem to explain to a computer how to solve it.”
—developerdude (anonymous), ca. November 2004
“History may not repeat itself, but it does rhyme a lot.”
The previous chapters tackled some of the more theoretical concepts related to security metrics: why we ought to be measuring security, and what sorts of things we ought to measure. This chapter’s intent is more practical: to describe how to gather the data we are looking for. Because much of the data we seek are, in most organizations, stored inside a vast array of databases, system logs, spreadsheets, and brains, any discussion of “how” must discuss the mechanical processes that enable us to gather data ...