PRAGMATIC Security Metrics
Applying Metametrics to Information Security
by W. Krag Brotby and
ISBN: 978-1439881521 and 1439881529
Pages: 512 (150,000 words)
Publisher: Auerbach/CRC Press
Whereas other authors are strong on the theories, mathematics and statistics behind measurement, PRAGMATIC Security Metrics is a reader-friendly, practical guide for hard-working security practitioners. Without totally ignoring the underlying complexities, the book explains and interprets security metrics straightforwardly, adding a shiny new tool to the toolbox: the PRAGMATIC method.
PRAGMATIC Security Metrics explains:
Why information security is vital, yet (as with risk management in general) so difficult to get right;
Why meaningful metrics are necessary to manage anything systematically and rationally, instead of relying purely on guesswork, experience and gut feel;
Who needs security metrics - who are the audiences, consumers and users of metrics;
How information security is currently measured - an overview of approaches suggested used and elsewhere;
Finding or developing potential (candidate) security metrics, including a few less conventional sources;
150+ example security metrics, structured in line with ISO27k, scored using the PRAGMATIC method
, and discussed as if they were being actively considered by management;
Advanced security metrics - as if the rest of this isn't hard enough already!;
Using security metrics - analysis, presentation, motivation ...;
The downsides of metrics - possible drawbacks to having more effective security metrics;
A case study - a realistic worked example, developing a set of security metrics for Acme Enterprises Inc, an hypothetical commercial organization facing a range of strategic, managerial and operational challenges;
Conclusions including a set of take-home messages - things to put into practice immediately.
At face value, the PRAGMATIC method is simply a way to score security metrics, but there’s much more to it than that. Think about it: how does your organization determine which security metrics are or are not worth using? If you pick up a suggestion for a new metric from a book, a friend or a flash of inspiration, how do you assess its merits? The usual approach is entirely informal and subjective. Scoring and assessing the metric in a structured way forces you to think it through, in detail.
What about the recipients or audiences for your metrics: do you deliver the security metrics you feel are important, or do you make the effort to find out what they want - and if so, how do you frame that discussion? What do you do to make them set aside the time to work out and explain their needs?
The PRAGMATIC method is straightforward, cheap and easy to apply, meaning that busy information/cybersecurity managers and CISOs can get up and running in a matter of hours.
Metrics are used not only to track and report performance but to identify problem areas and opportunities, and so drive security improvements. With a focus on using measurement data in support of management decisions, the book takes the discussion up a level by elaborating on the design of an Information Security Measurement System with obvious application as an integral part of an Information Security Management System as described by ISO/IEC 27001.
As soon as you appreciate the power of the PRAGMATIC method, you’ll be itching to put it into practice, especially if you, your colleagues and managers are presently struggling with security metrics. Aside from the P.R.A.G.M.A.T.I.C. mnemonic representing nine criteria for assessing and scoring metrics, the approach is pragmatic in the ordinary everyday sense of the word. You certainly don’t need a doctorate in statistics to make use of this book! Practical tips are scattered liberally throughout, with further information and references in the footnotes. We separated them out from the main text to encourage you to read quickly through the book at first to understand the overall approach, then go back to explore particular aspects in more detail as you apply the learning. It is an introductory guide/overview and a more detailed implementation guide/training manual, all rolled into one.