Security Metrics, A Beginner's Guide

Home >
Browse >
Security Metrics, A Beginner's Guide

Security Metrics, A Beginner's Guide

Authors: Caroline Wong

Published: October 2011

eISBN: 9780071744010 0071744010 | ISBN: 9780071744003

Contents

Foreword

Acknowledgments

Introduction

Part I: Why Security Metrics?

1 Why Measure Security?

Purpose of an Information Security Program

Benefits of a Security Metrics Program

Why Are Security Metrics So Hard to Do?

2 Why Security Metrics are Needed Now

Security Work is Never Finished: Technology Changes and Moore’s Law

More on the Increasing Sophistication of Attacks

New Developments in Information Security

Profile of a Hacker

Today’s “Security Best Practices” Are Not Good Enough

Part II: Essential Components of an Effective Security Metrics Practitioner

3 Analytics

What are Security Analytics?

Visualization

Bundling Interpretation and Metrics

Do I Need a PhD in Math?

Examples of Applying Analytic Patterns

4 Commitment to Project Management

Information Security Culture

Project Management

Run-the-Business Activities

Part III: Decide What to Measure

5 Identify Core Competencies, Information Security Work, and Resourcing Options

Evaluating Security Core Competencies for Metrics Projects

Spectrum of Information Security Work

Leveraging the Outsourcing and Offshoring Models

6 Identify Targets

Revisiting Objectives of an Information Security Metrics Program

Identifying What’s Important

Identifying What’s Broken

Identifying What’s Basic

Identifying What Needs to Be Discussed

Identifying What’s New

Part IV: Get Started

7 Define Project Objectives

Training for a Marathon

Mapping a Target to a Benefit

Defining the Objective of a Security Metrics Project

Lessons Learned

8 Define Your Priorities

A Real-World Prioritization Example

Why is it Important to Prioritize?

Advantages of Effective Prioritization

Factors to Consider

How to Prioritize

9 Identify Key Messages and Key Audiences

Why Stakeholder Engagement is Important

Stakeholder Engagement

Examples

Chapter Summary

10 Obtain Buy-In from Stakeholders

What is Buy-In and Why Do You Need it?

Preparing for a Buy-In Discussion with Stakeholders

Meeting, Explaining, Asking, Documenting

Part V: Toolkit

11 Automation

Automation: Benefits

Automation: Workflow

12 Analysis Technologies and a Case Study

Automation: Technologies

Case Study

Part VI: Creating the Best Environment for Healthy Metrics

13 Define a Communications Strategy

What Do You Want to Communicate?

Keep Your Message Consistent

Know Your Audience

Communicate Well

Share More

Communication Formats

Additional Tips on Communicating Effectively

14 Drive an action Plan: the Importance of Project Management

Role of the Project Manager

Managing Change

Decision Making

Reporting Formats

Part VII: Secret Sauce: Lessons Learned from an Enterprise Practitioner

15 Improving Data Quality and Presentation

Data Cleansing

Reporting Data from Multiple Systems

Data, Processes, and People

Don’t Wait for Perfect Data Before Reporting

16 Resourcing and Security Metrics Projects

Resourcing Options

Leveraging Politics and Competition

Metrics as Justification for More Resources

Report Quickly

Part VIII: Looking Forward

17 Security Metrics for Cloud Computing

Cloud Computing Defined

Cloud Business Drivers

The New Normal

Security Metrics vs. Cloud Security Metrics

Cloud Security Alliance

Final Thoughts

Part IX: Appendix and Glossary

Appendix: Templates and Checklists

Chapter 1: The Three Benefits of a Security Metrics Program

Chapter 2: Best Practice Analysis

Chapter 5: Request for Proposal

Chapter 6: Metrics for High Risk Areas

Chapter 7: Meeting with Stakeholders

Chapter 8: Basic Prioritization Questions

Chapter 9: Identifying Key Audiences and Key Messages

Chapter 17: Template for Completely and Unambiguously Defining a Metric

Glossary

A

B

C

D

F

I

M

O

P

Q

R

S

T

W

Index