This paper describes the process of determining what information security metrics are appropriate for your organization. The recommended approach is business-driven, identifying business imperatives for information security from the corporation’s mission and objectives, elaborating on those to shortlist security metrics worth considering, and finally using the PRAGMATIC method to select the most valuable information security metrics.
Although the process itself is quite involved, the paper describes it step-by-step as a straightforward series of activities that any CISO or ISM should be able to undertake.
If you want to develop your security metrics but feel a bit overwhelmed by the task, use this paper as a guide.
|