Packed with time-saving tips, the book offers easy-to-follow guidance for those struggling with security metrics. Step by step, it clearly explains how to specify, develop, use, and maintain an information security measurement system (a comprehensive suite of metrics) to help:
Security professionals systematically improve information security, demonstrate the value they are adding, and gain management support for the things that need to be done
Management address previously unsolvable problems rationally, making critical decisions such as resource allocation and prioritization of security relative to other business activities
Stakeholders, both within and outside the organization, be assured that information security is being competently managed
The PRAGMATIC approach lets you hone in on your problem areas and identify the few metrics that will generate real business value. The book:
Helps you figure out exactly what needs to be measured, how to measure it, and most importantly, why it needs to be measured
Scores and ranks more than 150 candidate security metrics to demonstrate the value of the PRAGMATIC method
Highlights security metrics that are widely used and recommended, yet turn out to be rather poor in practice
Describes innovative and flexible measurement approaches such as capability maturity metrics with continuous scales
Explains how to minimize both measurement and security risks using complementary metrics for greater assurance in critical areas such as governance and compliance
In addition to its obvious utility in the information security realm, the PRAGMATIC approach, introduced for the first time in this book, has broader application across diverse fields of management including finance, human resources, engineering, and production—in fact any area that suffers a surplus of data but a deficit of useful information.
Visit Security Metametrics. (http://securitymetametrics.com/
About the Authors
Krag Brotby has 30 years of experience in the area of enterprise computer security architecture, governance, risk, and metrics and is a Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise Information Technology qualifications. Krag is a CISM trainer and has developed a number of related courses in governance, metrics, governance-risk-
Krag’s experience includes intensive involvement in current and emerging security architectures, IT and information security metrics, and governance. He holds a foundation patent for digital rights management and has published a variety of technical and IT security-related articles and books. Brotby has served as principal author and editor of the Certified Information Security Manager Review Manual (ISACA 2012) since 2005, and is the researcher and author of the widely circulated Information Security Governance: Guidance for Boards of Directors and Executive Management (ITGI 2006), and Information Security Governance: Guidance for Information Security Managers (ITGI 2008a) as well as a new approach to Information Security Management Metrics (Brotby 2009a) and Information Security Governance; A Practical Development and Implementation Approach (Brotby 2009b).
Gary Hinson—Despite his largely technical background, Dr. Gary Hinson, PhD, MBA, CISSP, has an abiding interest in human factors—the people side as opposed to the purely technical aspects of information security and governance. Gary’s professional career stretches back to the mid-1980s as both a practitioner and manager in the fields of IT system and network administration, information security, and IT auditing. He has worked for some well-known multinationals in the pharmaceuticals/
In the course of his work, Gary has developed or picked up and used a variety of information security metrics. Admittedly, they didn’t all work out, but such is the nature of this developing field (Hinson 2006). In relation to programs to implement information security management systems, for example, Gary had some success using conventional project management metrics to guide the implementation activities and discuss progress with senior managers. However, management seemed curiously disinterested in measuring the business benefits achieved by their security investments despite Gary having laid out the basis for measurement in the original business cases. And so started his search for a better way.
For More Information Please Visit:
ISBN 9781439881521, January 2013, 512 pp