Go home

Daniel Brunner

Towards the end of a detailed book review on Amazon, Daniel concludes “Until now I have not come across a book about information security metrics that was so clearly and concisely written. The book is easy to understand and provides a wealth of tools and inputs for anybody having to deal with metrics.” Thanks Daniel!


Elia Fernandez

Elia enthused about PRAGMATIC Security Metrics in Spanish on her blog (part 1 and part 2), concluding “Importante es determinar cómo la organización puede identificar las métricas de seguridad que vale la pena utilizar, y cómo se pueden evaluar los méritos de una métrica. A la fecha, el enfoque común ha sido informal y subjetivo. Por el contrario, el método pragmático permite medir y evaluar una métrica en forma estructurada; obliga a analizar la métrica en detalle.” Thanks Elia!


Professor Mich Kabay

Mich’s detailed book review concluded “I strongly recommend this text to all information-assurance practitioners; I think it can also be useful as a textbook in graduate degrees in the management of information assurance for a specific module on metrics and optimization of security strategy.” Thanks Mich!



On Amazon, Koen describes the book as “A must read for those that produce KPI's for senior management, or for senior manager that want to be informed by useful indicators.” Thanks Koen!


Patrick A McCombs

On Amazon, Patrick wrote “Addresses one of my major concerns, which is management demanding metrics just because everyone else says metrics are good. Now you have a basis for evaluating metrics instead of just a gut feeling that "that's pointless." The book focuses on security metrics, and provides hundreds of examples, with PRAGMATIC scores. But the concept goes far beyond cyber security.” Thank you Patrick.


Maria Patricia Prandini

Maria reviewed the book for ISACA: “When evaluating security effectiveness or searching for areas of improvement, most people will probably agree on the need for metrics to manage information security. The problem is how to start using metrics.  Pragmatic Security Metrics provides the road map. Pragmatic Security Metrics is truly pragmatic, highlighting the benefits of security metrics and taking a detailed look at several sources of information security metrics, such as ISACA’s Business Model for Information Security (BMIS), the Capability Maturity Model (CMM), ISO 27004 and the National Institute of Standards and Technology (NIST) publications.” Thank you Maria.


Ben Rothke

Ben wrote “After reading the first chapter, PRAGMATIC Security Metrics: Applying Metametrics to Information Security looks like it may live up to its promise of being able to use metrics not only to track and report performance but to identify problem areas and opportunities, and drive information security improvements.  If so, this could be the metrics book a lot of information security professionals have been waiting for.” Thanks Ben!



On Amazon, SK wrote “Well written and useful when developing information security metrics. The accompanying website and goodies were also very helpful. This one will join my permanent library.” Thanks SK!



Please let us know if you have published a review of the book somewhere and we’ll gladly link to it, or publish it here if you prefer.

Even if you don’t quite feel up to writing a book review, we welcome your honest feedback at any time. We’d love to hear what you make of the book and the PRAGMATIC method: is it something you find useful? How are you planning to adopt the method? What’s missing? How could it be improved? What do you think of this website? Constructive criticism and creative ideas on metrics are especially welcome.

Copyright © 2021 Gary Hinson & Krag Brotby