Security Metrics: Replacing Fear, Uncertainty, and Doubt

Upon completion of this book, I began to muse: what percentage of security professionals have given any thought to security metrics? For those that have actually considered the topic, with what level of frequency do they entertain thoughts of security metrics? Yearly? Monthly? Daily? Gee, I think to myself, I'd like to see a time series analysis exhibit of that... Based on the fact that I sit here torturing myself with these thoughts, I contend that Security Metrics has already influenced my approach toward security management. Indeed, Jaquith has done an excellent job of exposing an area that is critical to effective security management, but to which many security practitioners (myself included) have previously paid lip service. Security Metrics offers valuable insight to organizations seeking to provide a greater level of intelligence and meaning around their security program(s). In addition to how well the ideas of the book resonated with my own professional and academic background, the choice to give a 5 star rating was based on its organization, readability, entertaining quips, and the fact that many of the alternative publications in the realm of security metrics are triple or more the cost of this one. Though I've not yet read or reviewed other similar works, the bar has been set high.

This is an all-around excellent book. Written in an easy to read format and loaded with valuable experience and solutions. Not just for the IT Security realm but great content and solutions for all those that seek to measure security performance and countermeasure. A very valuable section of the book demonstrates great visual methods and charts for communicating results and trends. Highly recommended.

See the Full Review at my blog site: Terebrate. This book is a must-read for all cyber security professionals. It is not a part of the canon because it attacks a sacred cow of the industry—Annualized Loss Expectancy (ALE) as a means to justify your security budget—and the community has yet to fully embrace the idea that ALE might not be a good idea in all cases. But you should seriously consider this notion and this book is your gateway to do so. Consider it a Canon-Candidate. Jaquith describes why capturing and analyzing security metrics is a good and powerful thing and how you can use that intelligence to better understand the porous nature of your networks. It will help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security. You should have read this by now.

A must read if you manage information security at your organization, Jaquith is an insightful manager and excellent writer sharing his thoughts and examples.

SECURITY METRICS is one of the only books you can find dealing with Info System Security (ISS) metrics. Author is a consultant and offers best practices on how to present metrics (aesthetics), and advises you on what tangible metrics will give you the most bang for the buck. Later in the book, Jaquith takes you up to the next level by adapting the Balanced Scorecard to the ISS world. Again, author walks you through specifics on metrics that would be reflective of the four different perspectives [Financial, Customer, Internal, and Learning&Growth]...a big help for anyone who has wrestled with Kaplan & Norton's "Balanced Scorecard" book.

Interesting and useful info.

What a book. Seriously, I laughed, I cried. I shouted in frustration, only to be placated on the next page. I got a better understanding of what Andy has been banging on about with Security Metrics. And it helps me do my job better.

it is ok if you want to read theory and not to much to practice. Maybe more books would be needed to complementary information and practice

Paper quality worst and cheap. not at all worth of INR 3k+. This type of cheap product was not expected from Amazon.