<>The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.

Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

Security Metrics successfully bridges management’s quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith’s extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You’ll learn how to:

• Replace nonstop crisis response with a systematic approach to security improvement

• Understand the differences between “good” and “bad” metrics

• Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk

• Quantify the effectiveness of security acquisition, implementation, and other program activities

• Organize, aggregate, and analyze your data to bring out key insights

• Use visualization to understand and communicate security issues more clearly

• Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources

• Implement balanced scorecards that present compact, holistic views of organizational security effectiveness

Whether you’re an engineer or consultant responsible for security and reporting to management–or an executive who needs better information for decision-making–Security Metrics is the resource you have been searching for.

Andrew Jaquith, program manager for Yankee Group’s Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist.

Foreword         

Preface            

Acknowledgments         

About the Author           

Chapter 1          Introduction: Escaping the Hamster Wheel of Pain          

Chapter 2          Defining Security Metrics           

Chapter 3          Diagnosing Problems and Measuring Technical Security  

Chapter 4          Measuring Program Effectiveness           

Chapter 5          Analysis Techniques     

Chapter 6          Visualization     

Chapter 7          Automating Metrics Calculations

Chapter 8          Designing Security Scorecards  

Index   

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 21 Ratings

Some gaps, but useful nonetheless - 2008-07-16
Reviewer Rating:
Andrew Jaquith's book on security metrics is refreshing in its approach. Instead of a neverending cycle of risk assessments and vulnerability patching (a process which the author humorously calls the "hamster wheel of pain"), we are told to focus on core operational security processes and measurement of key indicators.

The central premise of the book is that a "risk management" approach, as promoted by many security vendors, doesn't work. The reason it doesn't work is that it is extremely difficult to get a good handle on the true value of assets, and an accurate estimate of risk. As the author puts it, "identifying problems is easy ... quantifying and valuing risk is much harder."

The thorough discussion of information security metrics makes this book worthwhile reading. However, there is a hint of sloppy thinking sprinkled throughout, which tends to undermine one's trust in the author's intellectual honesty. For example, when discussing the importance of tracking not only inbound viruses, but outbound as well, the author makes the following statement:

BEGIN QUOTE -
Another twist I have added to the traditional antivirus statistics is a simple metric documenting the number of outbound viruses or spyware samples caught by the perimeter mail gateway's content filtering software. Why it matters is simple--it is an excellent indicator of how "clean" the internal network is. Organizations that practice good hygiene don't infect their neighbors and business partners. My friend Dan Geer relates this quote from the CSO of a Wall Street investment bank:

"Last year we stopped 70,000 inbound viruses, but I am prouder of having stopped 500 outbound."

In other words, the bank's internal network is cleaner than the outside environment by a factor of 140 to 1.
- END QUOTE

Certainly, the conclusion in the last sentence cannot be supported without additional information. The volume of inbound email is likely to be drastically higher, which may account for the difference. The bank's outbound detection/prevention mechanism also may not be as efficient as the inbound.

Moreover, the metrics analysis chapter is very rudimentary and incomplete. Basic concepts like mean, median, and standard deviation are briefly discussed, but there is no mention of statistical random sampling techniques and confidence levels, which would surely be of significant importance when measuring key indicators across large populations, where a complete enumeration is either impossible, or too expensive and time-consuming. Sometimes, metrics which are "meaningful", are not the ones that are "tangible" and "easy to measure". A certain degree of statistical sophistication can be helpful in such situations.

In summary, the book offers some useful insight and practical advice for those who are charged with running an information security management program, but a healthy skepticism of the assumptions underlying the author's conclusions is warranted. In order to develop truly meaningful information security metrics, a much more sophisticated approach than what is described in this book will likely be needed.

First book on security metrics. - 2010-06-09
Reviewer Rating:
The author has done a good job at formalizing what security metrics are about.
As far as I know, this is the first such book. There are a lot of good insights, that one can take away from the book -- from what good metrics are, to why ALE isn't a good way to measure security, to what Hamster wheel of pain is all about. However, I felt like the subject of 300+ pages could have been condensed into at most 50 pages. There are two chapters that describe different types of charts, pies, and statistical methods of analyses that seemed rather elementary. At times, the text is rambling.
Despite its shortcomings, it is a great treatise and I recommend any CISO to buy this book.

Follow me on twitter: [...]

Not a lot of meat for the real world - 2010-04-29
Reviewer Rating:
Looking for some guidance on security metrics that are actually insightful and would add value to the decision making process of a Fortune 500 company, I purchased this book. Unfortunately, I cannot say there is much in here that any educated Information Security individual would not know. The author does have a 5 page list of useful KPI's in chapter 3, but as mentioned before, any Info Sec professional worth his salt would be aware of these. Why the author needs another 300 pages is beyond my comprehension, as most of it is wasted with fluff and a review of college statistics class.

Practical How-To Metrics for Impact...plus Balanced Scorecard! - 2009-02-11
Reviewer Rating:
SECURITY METRICS is exclaimed as one of the only books you can find having to do with Info System Security (ISS) metrics. Author is a former consultant, and talented in best practices on how to present metrics (aesthetics), as well as advising you on what tangible metrics will give you the most bang for the buck. Later in the book, Jaquith takes you up the next level by adapting the Balanced Scorecard to the ISS world. Again, author walks you through specifics on metrics that would be reflective of the four different perspectives [Financial, Customer, Internal, and Learning&Growth]...a big help for anyone who has wrestled with Kaplan & Norton's "Balanced Scorecard" book.

A necessary paradigm shift for information security - 2007-12-02
Reviewer Rating:
Upon completion of this book, I began to muse: what percentage of security professionals have given any thought to security metrics? For those that have actually considered the topic, with what level of frequency do they entertain thoughts of security metrics? Yearly? Monthly? Daily? Gee, I think to myself, I'd like to see a time series analysis exhibit of that...

Based on the fact that I sit here torturing myself with these thoughts, I contend that Security Metrics has already influenced my approach toward security management. Indeed, Jaquith has done an excellent job of exposing an area that is critical to effective security management, but to which many security practitioners (myself included) have previously paid lip service. Security Metrics offers valuable insight to organizations seeking to provide a greater level of intelligence and meaning around their security program(s).

In addition to how well the ideas of the book resonated with my own professional and academic background, the choice to give a 5 star rating was based on its organization, readability, entertaining quips, and the fact that many of the alternative publications in the realm of security metrics are triple or more the cost of this one. Though I've not yet read or reviewed other similar works, the bar has been set high.

Browse Similar Topics

Top Level Categories:
Networking

Sub-Categories:
Networking > Security