The Forum’s purpose
The forum is a practitioners’ group. While at times we may dip into more theoretical aspects, our primary interest is in the practical application of metrics to address real world information security, management and governance issues.
This is a self-help global community. Sharing is important to us. Every contribution is treasured and every member is valued. We each bring different experience, expertise and perspectives, and that diversity makes us ‘greater than the sum of the parts’.
The forum thrives on proactive involvement and mutual support. It is in everyone’s interest to engage and participate actively whenever possible rather than just passively observe the discussions. Forum members are encouraged both to raise questions or ask for help, and to offer answers, tips, suggestions, case studies, example materials and so forth. Seriously, we will all get a lot more out of this if you dive in with both feet - and don’t worry, we have lifeguards on hand to steer you gently to the side if you get too far out of your depth.
As well as the book and the FAQ, valuable content will gradually accumulate in the group’s archive, so get to know Google’s search syntax.
If you join the Security Metametrics Forum, you will obviously receive metrics-related emails from other Forum members via Google Groups but that’s about it. Rest assured that we will not exploit, sell or give away your email address or other personal information: after all, privacy , confidentiality and integrity are integral aspects of information security.
If you post messages to the Forum, members may occasionally email responses directly to you rather than to the entire group. We actively discourage anyone from advertising on the Forum or pestering members but if you are clearly seeking services or information, vendors may contact you directly/off-list. Feel free to create a unique email address solely for the Forum and please let us know straight away if you receive any spam on it, indicating a control lapse somewhere. We utterly detest and actively fight spam. Any Forum members who spam other members risk being unceremoniously booted out of the group.
Forum tips and etiquette
The following guidelines are meant to keep the Security Metametrics Forum on the right track, and benefit the whole community. Thank you for your understanding, patience and compliance:
Please be professional and respectful at all times. Some of our members are new to this game and occasionally make naive or misguided statements. Be gentle with them - we all had to start somewhere. Some of us are old hands and with experience and age comes a tendency to arrogance and crankiness. Try to see beyond our words: there may just be a few pearls of wisdom there.
Please add your name to your postings, indicating how you prefer to be addressed. Members from cultures that normally put the family name first take note: it helps to give us a clue about your “first name ” or “given name”, the name that your polite friends call you, otherwise we may guess wrong. We are pretty informal so there’s no real need for titles or qualifications here, unless you feel the need to introduce yourself.
If you want to pose a question on the Forum, take a moment to explain your context
. Why are you asking the question? What have you already done in an attempt to find an answer (e.g
. have you Googled it
and maybe searched the book and the FAQ
)? What kind and size of organization do you represent? How mature are its information security management and metrics practices? Forum members can provide more meaningful and helpful answers if you make the effort to clarify your question. Ultra-brief context-free question such as “What are the best metrics for X?” tend to go nowhere fast and often stir up somewhat sarcastic and cynical responses. For further advice on asking questions intelligently, see here
We aim to keep the Forum essentially non-commercial and ad-free. Forum members are discouraged from overtly advertising or promoting their organizations and products, making commercial offers etc. on the Forum, although conventional email signatures that discreetly mention your employer or whatever are perfectly acceptable. Please help us keep this a professional self-help forum. To discuss commercial matters (for example if a Forum member explicitly requests information on goods or services that your company just happens to supply), please contact them directly/off-line and NOT via the Forum. Forum members who break this rule will probably find future postings censored and if they still cause trouble, they may be dispatched to the outer reaches of the galaxy.
The Forum’s working language is English (plain English, not TXT-speak). However, ours is a truly international community and hence English is not the first language of many members. Please turn a blind ear to the occasional spelling grammatical and errors: those who are brave enough to express themselves on such a technical subject in a foreign language as arcane as English deserve medals not moans. Please take non-English discussions off-line but of course we would welcome an English summary later if they are relevant to the group.
Please top-post judiciously. Spare a thought for those of us who belong to several groups and don’t always have the time or inclination to re-read every word. If you reply to a lengthy Forum exchange, please don’t just add your input to the top of the entire thread: trim down the original content to its essentials and insert your comments in context. Please avoid changing the subject line unless you are deliberately going off at a tangent as Google Groups and many email programs use the subject lines to link related messages together into threads.
Stay on topic please! There are plenty more mailing lists and resources out there for other aspects of information security, mathematics/statistics, presentational tools and so on. This Forum is exclusively about measuring information security. Queries about specific tools and general stuff such as vacancy notices, job-hunting, advertisements, press releases and jokes are just noise. Help us keep the signal-to-noise ratio right up there in the green zone.
gives you the option of receiving each email message individually or as a daily digest
. This is a low to medium volume list with just a few messages per day so it doesn’t make a lot of difference either way, but it’s your choice. You may like to file incoming messages automatically into their own mailbox if your email client has this functionality. To make this easier, all Forum messages automatically include [Security metametrics] in the subject line.
Respect copyright law. Do not circulate copyright materials unless you are the copyright owner or have the copyright owner’s express permission. Instead of providing materials that don’t belong to you, by all means share URLs for materials legitimately published on the Web. Likewise, please respect the copyright of Forum members: do not republish, forward or circulate Forum postings outside the Forum without the authors’ agreement (it is polite to ask them - most of us are flattered to be asked). Forum members who willfully break this zero-tolerance rule will be shredded and composted. There will be no second chances.
If you are going to be away from the office, please don’t set an Out-Of-Office message that automatically responds to Forum messages, thereby generating another Forum message ... Speak to your email admins about how to configure the system to restrict Out-Of-Office messages to internal corporate emails.