We’re told “You can’t manage what you don't measure” – well patently that is not entirely true since we have - allegedly - been managing information security for decades without decent measures! ... Or have we? A cursory glance through the headlines reveals glaring examples of security failures and privacy breaches, ransomware attacks and misinformation, despite substantial investments in information security. Experienced information risk and security professionals are growing increasingly cynical. We may win the occasional battle but we are losing the war against hackers, fraudsters, organized criminals, terrorists, pirates, plagiarists, industrial spies, unethical insiders, government security agencies and other challenges. Worse still, as we tighten security, we are making it harder than ever for our colleagues to exploit information legitimately for business purposes.
Metrics are an essential part of information risk and security management, enabling us to quantify, direct, control and improve information security rationally and systematically for sound business reasons.
This website supports the global community adopting the innovative security measurement techniques laid out in the book PRAGMATIC Security Metrics. If you too are struggling to make sense of security metrics, you're in the right place.
Browse the site for goodies such as: