We’re told “You can’t manage what you don't measure” – well plainly that is not entirely true since we have been managing information security for decades without decent measures! ... Or have we? A cursory glance at the news headlines reveals glaring examples of security failures and privacy breaches, despite substantial investments in information security.
Experienced information security professionals are growing increasingly cynical. We may win the occasional battle but we are losing the war against hackers, fraudsters, organized criminals, terrorists, pirates, plagiarists, industrial spies, unethical insiders and other adversaries. Metrics are a substantial part of the answer to today's information security management challenges.
“You can’t have
effective governance without effective metrics.”
This website supports the global community adopting the innovative measurement techniques laid out in the book PRAGMATIC Security Metrics. If you too are struggling to make sense of security metrics, you're in the right place. Browse the tabs and menu top/right or check out changes to the website (most recent at the top):