Complete Guide to
Security and Privacy Metrics
Measuring regulatory compliance,
operational resilience, and ROI
Author: Debra S Herrmann
Publisher: Auerbach, 2007
Price: ~US$128 from Amazon
This heavyweight textbook details over 900 security metrics.
The book is particularly strong on measuring compliance with North American laws and regulations relating in various ways to information security, privacy and governance (e.g. GLB, SOX, HIPAA, PIPEDA, FISMA and NERC CIP), taking up a quarter of the 800 pages.
That still leaves many pages to discuss technical and physical security metrics and even a few on financial security metrics.
Chapter 2 gives a decent general introduction to the development of metrics using the Goal-Question-Metric paradigm. Debra states that “good metrics are accurate, precise, valid and correct”.
The 900+ metrics would be completely overwhelming if presented as an unstructured list, but it helps that they are individually introduced and described in context. Debra says “No organization should attempt or even could implement all of these metrics and still accomplish its mission or return a profit. Rather, this collection should be considered like a menu from which to pick and choose metrics that will be meaningful to your organization; most likely, the metrics considered useful will change over time due to a variety of factors. Often there are subtle differences in the way the data is analyzed and presented from one metric to the next in the same category. It is up to you to decide which are the appetizers, entrees, and desserts, and whether you want the low-salt or the spicy version.” Hear hear!