We’re told “You can’t manage what you don't measure” – well plainly that is not entirely true since we have been managing information security for decades without decent measures! ... Or have we? A cursory glance through the news headlines reveals glaring examples of security failures and privacy breaches, despite substantial investments in information security.
Experienced information security professionals are growing increasingly cynical. We may win the occasional battle but we are losing the war against hackers, fraudsters, organized criminals, terrorists, pirates, plagiarists, industrial spies, unethical insiders, government security agencies and other challenges. Measurement and monitoring is an essential part of information security management. To put that another way:
You can’t secure
what you don’t measure
This website supports the global community adopting the innovative security measurement techniques laid out in the book PRAGMATIC Security Metrics. If you too are struggling to make sense of security metrics, you're in the right place. Browse the site and come back often! Latest changes: