Go home
Book contents mind map

Preface, acknowledgments, foreword

Chapter 1. Introduction

  • Why have we written this book?
  • What’s different about this metrics book?
  • Who were we writing this for?
  • Who are we?
  • What we’ll be talking about
  • Defining our terminology
  • What we expect of you, the reader
  • Chapter summary

Chapter 2. Why measure information security?

  • … To answer awkward management questions
  • … To improve information security, systematically
  • … For strategic, tactical and operational reasons
  • … For compliance and assurance purposes
  • … To fill the vacuum caused by our inability to measure security
  • … To support the information security manager
  • … For profit!
  • … For various other reasons …
  • Chapter summary
  • You can download the whole of chapter 2 as a sample of the book

Chapter 3. The art and science of security metrics

  • Metrology, the science of measurement
  • Governance and management metrics
  • Information security metrics
  • Financial metrics [for information security]
  • [Information security] Risk management metrics
  • Software quality [and security] metrics
  • Information security metrics reference sources
  • Specifying metrics
  • Metrics catalogs and a serious warning about SMD
  • Other [information security] metrics resources
  • Chapter summary

Chapter 4. Audiences for security metrics

  • Metrics audiences within the organization
  • Metrics audiences without the organization
  • Chapter summary

Chapter 5. Finding candidate metrics

  • Pre-existing/current information security metrics
  • Other corporate metrics
  • Metrics used in other fields and organizations
  • Information security metrics reference sources
  • Other sources of inspiration for security metrics
  • Roll-your-own metrics
  • Metrics supply and demand
  • Chapter summary

Chapter 6. Metametrics and the PRAGMATIC approach

  • Metametrics
  • Selecting information security metrics
  • The PRAGMATIC criteria
  • Scoring information security metrics against the PRAGMATIC criteria (step-by-step)
  • Other uses for PRAGMATIC metametrics
  • Classifying information security metrics
  • Chapter summary

Chapter 7. 150+ example security metrics

  • Information security risk management example metrics
  • Information security policy example metrics
  • Security governance, management and organization example metrics
  • Information asset management example metrics
  • Human resources security example metrics
  • Physical security example metrics
  • IT security example metrics
  • Access control example metrics
  • Software security example metrics
  • Incident management example metrics
  • Business continuity management example metrics
  • Compliance and assurance example metrics
  • Chapter summary

Chapter 8. Designing a PRAGMATIC security measurement system

  • A brief history of information security metrics
  • Taking a systems approach to metrics
  • The information security measurement system lifecycle
  • Chapter summary

Chapter 9. Advanced information security metrics

  • High-reliability metrics
  • Indicators and proxies
  • Key * Indicators (KGIs, KPIs, KRIs, CSFs)
  • Targets, hurdles, yardsticks, goals, objectives, benchmarks and triggers
  • Chapter summary

Chapter 10. The downsides of metrics

  • The numbers don't always tell the whole story
  • Scoring political points through metrics
  • Implausible deniability
  • Metrics gaps
  • On being ‘good enough’
  • What not to measure
  • Chapter summary

Chapter 11. Using PRAGMATIC metrics in practice

  • Gathering the raw data
  • Data analysis and statistics
  • Data presentation
  • Using, reacting and responding to metrics
  • Chapter summary

Chapter 12. Case study

  • The context: Acme Enterprises Inc.
  • Information security metrics for the C-suite
  • Information security metrics for management and operations
  • Information security metrics for external stakeholders
  • Acme’s information security measurement system
  • Chapter summary

Chapter 13. Conclusions

  • Take-home lessons from this book
  • Your chance to advance the profession and the practice of metrics
  • An action plan to take away
  • Chapter summary


  • The PRAGMATIC criteria
  • Business Model of Information Security (BMIS)
  • Capability Maturity Model (CMM)
  • Example opinion survey form
  • SABSA security attributes table
  • Prototype metrics catalog
  • Effect of weighting the PRAGMATIC criteria
  • ISO27k maturity scale metrics
  • Sample management survey
  • Observer bias
  • Observer calibration
  • Bibliography
  • Index

Copyright © 2021 Gary Hinson & Krag Brotby