Designing Security Scorecards
“How’m I doing?”
—Former New York City Mayor Edward I. Koch, ca. 1978
Keeping score is a natural human activity. We do it in school, with our sports teams, in our personal lives, and with political candidates. Familiar methods of scoring include report cards and test scores, sports box scores and league standings, stock indices, and opinion polls.
There are lots of reasons for scorekeeping: performance measurement, intellectual curiosity, creeping jealousies, and sometimes simple nosiness. Because I am not a licensed psychologist—merely one with armchair credentials—this chapter focuses only the business performance aspects of scorekeeping—in particular, on scoring security performance.
Scorekeeping, when expressed ...