Security Metrics: Replacing Fear, Uncertainty, and Doubt

Upon completion of this book, I began to muse: what percentage of security professionals have given any thought to security metrics? For those that have actually considered the topic, with what level of frequency do they entertain thoughts of security metrics? Yearly? Monthly? Daily? Gee, I think to myself, I'd like to see a time series analysis exhibit of that...Based on the fact that I sit here torturing myself with these thoughts, I contend that Security Metrics has already influenced my approach toward security management. Indeed, Jaquith has done an excellent job of exposing an area that is critical to effective security management, but to which many security practitioners (myself included) have previously paid lip service. Security Metrics offers valuable insight to organizations seeking to provide a greater level of intelligence and meaning around their security program(s).In addition to how well the ideas of the book resonated with my own professional and academic background, the choice to give a 5 star rating was based on its organization, readability, entertaining quips, and the fact that many of the alternative publications in the realm of security metrics are triple or more the cost of this one. Though I've not yet read or reviewed other similar works, the bar has been set high.

See the Full Review at my blog site: Terebrate.This book is a must-read for all cyber security professionals. It is not a part of the canon because it attacks a sacred cow of the industry—Annualized Loss Expectancy (ALE) as a means to justify your security budget—and the community has yet to fully embrace the idea that ALE might not be a good idea in all cases. But you should seriously consider this notion and this book is your gateway to do so. Consider it a Canon-Candidate. Jaquith describes why capturing and analyzing security metrics is a good and powerful thing and how you can use that intelligence to better understand the porous nature of your networks. It will help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security. You should have read this by now.

SECURITY METRICS is one of the only books you can find dealing with Info System Security (ISS) metrics. Author is a consultant and offers best practices on how to present metrics (aesthetics), and advises you on what tangible metrics will give you the most bang for the buck. Later in the book, Jaquith takes you up to the next level by adapting the Balanced Scorecard to the ISS world. Again, author walks you through specifics on metrics that would be reflective of the four different perspectives [Financial, Customer, Internal, and Learning&Growth]...a big help for anyone who has wrestled with Kaplan & Norton's "Balanced Scorecard" book.

Andrew Jaquith has never received the recognition he deserves for this seminal work on Security Metrics. If you work the field of information security this book should be on your shelf.

From the examples, you can tell this book is a bit dated. Other than that, it is still very crisp and fresh. The message that it advocates is, in my experience, still very welcome in this field (and beyond). Recommended!

The media could not be loaded.  This is an all-around excellent book. Written in an easy to read format and loaded with valuable experience and solutions. Not just for the IT Security realm but great content and solutions for all those that seek to measure security performance and countermeasure. A very valuable section of the book demonstrates great visual methods and charts for communicating results and trends. Highly recommended.

An old book but still very useful

Good read for a start

Paper quality worst and cheap. not at all worth of INR 3k+. This type of cheap product was not expected from Amazon.