Maria Patricia Prandini
Maria reviewed the book for ISACA: “When evaluating security effectiveness or searching for areas of improvement, most people will probably agree on the need for metrics to manage information security. The problem is how to start using metrics. Pragmatic Security Metrics provides the road map. Pragmatic Security Metrics is truly pragmatic, highlighting the benefits of security metrics and taking a detailed look at several sources of information security metrics, such as ISACA’s Business Model for Information Security (BMIS), the Capability Maturity Model (CMM), ISO 27004 and the National Institute of Standards and Technology (NIST) publications.” Thank you Maria.
Elia has enthused about PRAGMATIC Security Metrics in Spanish on her blog (part 1 and part 2), concluding “Importante es determinar cómo la organización puede identificar las métricas de seguridad que vale la pena utilizar, y cómo se pueden evaluar los méritos de una métrica. A la fecha, el enfoque común ha sido informal y subjetivo. Por el contrario, el método pragmático permite medir y evaluar una métrica en forma estructurada; obliga a analizar la métrica en detalle.” Thanks Elia!
Towards the end of a detailed book review on Amazon, Daniel concludes “Until now I have not come across a book about information security metrics that was so clearly and concisely written. The book is easy to understand and provides a wealth of tools and inputs for anybody having to deal with metrics.” Thanks Daniel!
On Amazon, Koen describes the book as “A must read for those that produce KPI's for senior management, or for senior manager that want to be informed by useful indicators.” Thanks Koen!
Professor Mich Kabay
Mich’s detailed book review concluded “I strongly recommend this text to all information-assurance practitioners; I think it can also be useful as a textbook in graduate degrees in the management of information assurance for a specific module on metrics and optimization of security strategy.” Thanks Mich!
Ben wrote “After reading the first chapter, PRAGMATIC Security Metrics: Applying Metametrics to Information Security looks like it may live up to its promise of being able to use metrics not only to track and report performance but to identify problem areas and opportunities, and drive information security improvements. If so, this could be the metrics book a lot of information security professionals have been waiting for.” Thanks Ben!
Please let us know if you have published a review of the book somewhere and we’ll gladly link to it, or publish it here if you prefer.
Even if you don’t quite feel up to writing and publishing a book review, we welcome your honest feedback at any time. We’d love to hear what you make of the book and the PRAGMATIC method: is it something you will find useful? How are you planning to adopt the method? What’s missing? How could it be improved? What do you think of this website? Constructive criticism and creative ideas on metrics are especially welcome!