Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement

Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement

By: W. Krag Brotby (author)Hardback

More than 4 weeks availability


Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical. Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides anyone with security and risk management responsibilities insight into these critical security questions: * How secure is my organization? * How much security is enough? * What are the most cost-effective security solutions? * How secure is my organization? You can't manage what you can't measure This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization's business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response. The book ensures that every facet of security required by an organization is linked to business objectives, and provides metrics to measure it. Case studies effectively demonstrate specific ways that metrics can be implemented across an enterprise to maximize business benefit. With three decades of enterprise information security experience, author Krag Brotby presents a workable approach to developing and managing cost-effective enterprise information security.

Create a review

About Author

Enterprise Security Architect, Thousand Oaks, California,


Introduction Governance Metrics Overview Defining Security Is there a solution? SECURITY METRICS OVERVIEW Metrics and Objectives Information Security Security Why the IT metric focus Other assurance functions Stakeholders SECURITY METRICS Security Program Effectiveness Types of Metrics Information Assurance / Security Metrics Classification Monitoring vs. Metrics CURRENT STATE OF SECURITY METRICS Quantitative Measures and Metrics Performance Metrics Financial Metrics Return on Security Investment (ROSI) A new ROSI model Security Attribute Evaluation Method (SAEM) Cost-Effectiveness Analysis Fault Tree Analysis Value at Risk (VAR) ALE / SLE Other Value Metrics Limitations of existing approaches Qualitative Security Metrics Cultural Metrics Risk Management through Cultural Theory The Competing Values Framework Organizational Structure WIND STORM Hybrid Approaches Systemic Security Management Balanced Scorecard The SABSA Business Attributes Approach Quality Metrics Six Sigma ISO 9000 Quality of Service (QOSS) Maturity Level Benchmarking Standards OCTAVE METRICS DEVELOPMENTS Statistical Modeling Phase Transitions in Operational Risk Adequate Capital and Stress Testing for Operational Risks Functional correlation approach to operational risk in banking organizations Systemic Security Management Value at Risk Analysis Factor Analysis of Information Risk (FAIR) Risk Factor Analysis Probabilistic Risk Assessment (PRA) RELEVANCE Problem Inertia Correlating Metrics to Consequences THE METRICS IMPERATIVE Study of ROSI of Security Measures Resource Allocation Managing without Metrics ATTRIBUTES OF GOOD METRICS Metrics Objectives Measurement Categories How can it be measured? What is being measured? Why is it measured? Who are the recipients? What does it mean? What action is required? INFORMATION SECURITY GOVERNANCE Security Governance Outcomes Defining Security Objectives Sherwood Applied Business Security Architecture (SABSA) CobiT ISO 27001 Capability Maturity Model Metrics and Strategy Governance Metrics Strategic Alignment Risk Management Value Delivery Resource Management Performance Measurement Assurance Process Integration (convergence) METRICS DEVELOPMENT - A DIFFERENT APPROACH Activities Requiring Metrics INFORMATION SECURITY GOVERNANCE METRICS Strategic Security Governance Decisions Strategic Security Governance Decision Metrics Security Governance Management Decisions Strategic Direction Ensuring Objectives are Achieved Managing Risks Appropriately Using Resources Responsibly Security Governance Operational Decisions INFORMATION SECURITY RISK MANAGEMENT Information Security Risk Management Decisions Information Security Risk Management Metrics Criticality of assets Sensitivity of assets The nature and magnitude of impacts Vulnerabilities Threats Probability of Compromise Strategic initiatives and plans Acceptable levels of risk and impact Information Security Operational Risk Metrics Internal Fraud External Fraud Employment Practices and Workplace Safety Clients, Products & Business Practice Damage to Physical Assets Business Disruption & Systems Failures Execution, Delivery & Process Management INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS Program Development Management Metrics Program Development Operational Metrics INFORMATION SECURITY PROGRAM MANAGEMENT METRICS Security Management Decision Support Metrics CISO Responsibilities CISO Decisions Strategic alignment Case Study Risk Management Metrics for Risk Management Organizational risk tolerance Resource valuation Comprehensive risk assessment Effectiveness of mitigation efforts Assurance Process Integration Value Delivery Resource Management Performance Measurement Information Security Management Operational Decision Support Metrics IT and Information Security Management Compliance Metrics Criticality and Sensitivity Risk Exposure The state of compliance Case Study Personnel Competence Resource adequacy Metrics Reliability Procedure functionality, efficiency, and appropriateness Strategic Performance Measures Tactical Performance Measures Key Control Effectiveness Control Reliability Control Failure Management Effectiveness INCIDENT MANAGEMENT AND RESPONSE Incident Management Decision Support Metrics CONCLUSIONS APPENDIX A. METRICS CLASSIFICATIONS IA Program Developmental Metrics Support Metrics Operational Metrics Effectiveness Metrics Metrics for Strength Assessment Metrics for Features in Normal Circumstances Metrics for Features in Abnormal Circumstances Metrics for Weakness Assessment APPENDIX B. CULTURAL WORLDVIEWS Hierarchists Egalitarians Individualists Fatalists APPENDIX C. THE COMPETING VALUES FRAMEWORK Vertical: Stability/Flexibility The Competing Values map Hierarchy Market Adhocracy APPENDIX D. THE ORGANIZATION CULTURE ASSESSMENT INSTRUCTION (OCAI) APPENDIX E. SABSA BUSINESS ATTRIBUTE METRICS APPENDIX F. CAPABILITY MATURITY MODEL

Product Details

  • publication date: 15/08/2008
  • ISBN13: 9781420052855
  • Format: Hardback
  • Number Of Pages: 200
  • ID: 9781420052855
  • weight: 476
  • ISBN10: 1420052853

Delivery Information

  • Saver Delivery: Yes
  • 1st Class Delivery: Yes
  • Courier Delivery: Yes
  • Store Delivery: Yes

Prices are for internet purchases only. Prices and availability in WHSmith Stores may vary significantly