Security Metrics Replacing Fear, Uncertainty, and Doubt

  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2007-03-26
  • Publisher: Addison-Wesley Professional
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $69.99 Save up to $10.50
  • Buy New
    Add to Cart Free Shipping


Supplemental Materials

What is included with this book?

  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


<>The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations Security Metricsis the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise. Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organizationrs"s unique requirements. Yours"ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management. Security Metricssuccessfully bridges managementrs"s quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquithrs"s extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. Yours"ll learn how to: bull; Replace nonstop crisis response with a systematic approach to security improvement bull; Understand the differences between "good" and "bad" metrics bull; Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk bull; Quantify the effectiveness of security acquisition, implementation, and other program activities bull; Organize, aggregate, and analyze your data to bring out key insights bull; Use visualization to understand and communicate security issues more clearly bull; Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources bull; Implement balanced scorecards that present compact, holistic views of organizational security effectiveness Whether yours"re an engineer or consultant responsible for security and reporting to managementor an executive who needs better information for decision-makingSecurity Metricsis the resource you have been searching for. Andrew Jaquith,program manager for Yankee Grouprs"s Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured inCIO,CSO,InformationWeek,IEEE Security and Privacy, andThe Economist. Foreword Preface Acknowledgments About the Author Chapter 1 Introduction: Escaping the Hamster Wheel of Pain

Author Biography

Andrew Jaquith is the program manager for Yankee Group’s Enabling Technologies Enterprise group, with expertise in compliance, security, and risk management. Jaquith advises enterprise clients on how to manage security resources in their environments. He also helps security vendors develop strategies for reaching enterprise customers. Jaquith’s research focuses on topics such as security management, risk management, and packaged and custom web-based applications.


Jaquith has 15 years of IT experience. Before joining Yankee Group, he cofounded and served as program director at @stake, Inc., a security consulting pioneer, which Symantec Corporation acquired in 2004. Before @stake, Jaquith held project manager and business analyst positions at Cambridge Technology Partners and FedEx Corporation.


His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist. In addition, Jaquith contributes to several security-related open-source projects.


Jaquith holds a B.A. degree in economics and political science from Yale University.


Table of Contents

Forewordp. xv
Prefacep. xix
Acknowledgmentsp. xxv
About the Authorp. xxviii
Introduction: Escaping the Hamster Wheel of Painp. 1
Defining Security Metricsp. 9
Diagnosing Problems and Measuring Technical Securityp. 39
Measuring Program Effectivenessp. 89
Analysis Techniquesp. 133
Visualizationp. 157
Automating Metrics Calculationsp. 217
Designing Security Scorecardsp. 251
Indexp. 301
Table of Contents provided by Publisher. All Rights Reserved.


Preface Preface What This Book Is About This book is about security metrics: how to quantify, classify, and measure information security operations in modern enterprise environments. How This Book Came to Be Every consultant worth his or her weight in receipts accumulates a small trove of metaphors, analogies, and witty expressions. These help explain or clarify those rarified things that consultants do and tend to lubricate the consulting process. Oh, and they also tend to be funny. One of my favorite bits--particularly relevant to the topic at hand--is this one: No good deed goes unpunished. This simply means that with any worthwhile endeavor comes many unwitting (and often unwanted) consequences. So it is with the world of "security metrics." As you will see in the story I am about to tell you, my steadfast belief that security metrics ought to be a very! serious! field of study! has brought with it its own punishment. Several years ago, several colleagues and I undertook a series of elaborate empirical studies on the subject of application security. We rigorously gathered and cleansed far-flung source material, aggregated and analyzed the resulting data, built an exotic mathematical model, and wrote a short research paper on the subject, complete with eye-catching charts and graphs. It was well received by customers and media alike. Some time later I was asked to present a condensed version of our findings on an Internet webcast run by an industry trade publication. In this case "webcast" meant a PowerPoint presentation accompanied by previously taped narration. The audience, as pitched to me by the sponsor, was to include "CSOs, technologists, and decision-makers." That sounded great; I relished the opportunity to impress the bejeezus out of the vast numbers of grand globetrotters promised by the publication. In addition, my Inner Academic had high hopes that many in the audience would send me e-mails and letters marveling at the analytical techniques we used, the breadth of the data, and the many keen insights contained in the narrative and text. How wrong I was. Instead of measured praise from academe, I received several e-mails that went something like this: "Great presentation, but I was hoping to see more 'return on investment' numbers. You see, I really need to convince my boss to help me buy widget ______ (fill in the blank)." And then there were the slightly more disturbing comments, like this one: "We have no money for our security program! Oh, woe is me! What I really need is more ROI! Help me!" I confess to embroidering the truth a tiny bit here; the second e-mail I received was not nearly so plaintive. But the theme was clear: viewers assumed that because the webcast was about "security metrics," it must be about ROI. Our marvelous metrics were the good deed; their unfulfilled expectations were the punishment. Goals of This Book Mercifully, the "security ROI" fad has gone the way of the Macarena. But to be absolutely sure that your expectations are managed (more consultantspeak for you), here is what this book is about, and what it isnotabout. The primary objective of this book is to quantitatively analyze digital security activities. The chapters suggest ways of using numbers to illuminate an organization's security activities: Measuring security:Putting numbers around activities that have traditionally been considered difficult to measure Analyzing data:What kinds of sources of security data exist, and how you can put them to work for you Telling a story:Techniques you can use to marshal empirical evidence into a coherent set of mes

Rewards Program

Write a Review