Security Metrics Books
A brief review of the books available (from Amazon) in the nascent field of information security measurement.
Security Metrics: Replacing Fear, Uncertainty, and Doubt
ISBN-13: 978-0321349989 ISBN-10: 9780321349989 Amazon Paperback and Kindle
Andrew Jaquith's 2007 book is widely considered both the first useful book in the field and canonical. The Treefrog book preaches that security (processes) can be measured, and good can come of it, but that security metrics don't easily or usually factor into risk management frameworks. Instead measure what you are trying to improve, and let that be sufficient.
In support of this Jaquith provides a detailed taxonomy of useful measures and their sources, practical advice about communicating data, and many avoidable mistakes from his long experience and professional relationships in the industry.
It's valuable for the perspective, the lists and lists of measures, and his extensive experiences in the field. In contrast to some other works discussed Treefrog is excellent to pick out what you need or to figure out how to measure something you've identified as an objective because the author doesn't propose a program, sell a product, or demand project management.
I should finish reading it someday.
Security Metrics, A Beginner's Guide
ISBN-13: 978-0071744003 ISBN-10: 0071744002 amazon Paperback and Kindle
Caroline Wong's 2011 book based on her experiences at large firms (including Cigital, Zynga, and eBay) proposes and explains a program for developing good measurements of information security practices across an entire program. The process seems sound and is supported by argument and anecdotes from her experience and current events in information security. There is no question that the metric program is a distinct project in its own right, and this focuses the effectiveness of the work for those looking to start such a project. Project management is a key emphasis of the program developed in the book as the title of Chapter 4 makes clear: "Commitment to Project Management".
This book looks quite valuable to managers and leaders looking to instrument their information security program or standing up a new one. It's not clear from reviews and excerpts perused how much reference value it has.
IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data
ISBN-13: 978-0071713405 ISBN-10: 0071713409 Amazon Paperback and Kindle
Lance Hayden brings extensive academic credentials and industry experience to the topic in his 2010 book. Like Wong, Hayden presents a security metrics program for adoption. In contrast to Wong, this book digs deeper into process management methodology and formal process is introduced continually throughout the work.
Complimenting the process methodology emphasis there are many case study anecdotes and metric examples to illustrate key points. Hayden goes well beyond setting up a metrics program and builds process for organizational learning, process improvements, and links into control frameworks.
If Treefrog dismisses risk management frameworks and qualitative data as not worth your time, Hayden might well prove that if you put the work in both are quite beneficial to measuring and improving security. This seems like an excellent follow-on to study of Treefrog, as noted by reviewers.
PRAGMATIC Security Metrics: Applying Metametrics to Information Security
ISBN-13: 978-1439881521 ISBN-10: 1439881529
Amazon Hardback and Kindle
W. Krag Brotby and Gary Hinson's 2013 book might be best be presented as a blend of the other three works reviewed here. Much like Wong, the authors strongly advocate a specific approach to metrics as a process. the process is formal and discrete, and comes complete with its own acronym (also in the book title). Hayden is chock-full of processes and each has an acronym. It also provides more than a hundred sample metrics, much as the Treefrog book did.
The authors emphasize the collaborative nature of their work not only with each other but with the community and encourage readers to join a discussion list at their web site. This helps set a tone that many reviewers found helpful in engaging with the material.
In addition to scoring metrics with their system they also offer material on classifying metrics several different ways. This work also includes a literature review of the field, including Treefrog, where other works include references.
PRAGMATIC looks to be a very interesting new contribution to the field.
Written with StackEdit.