REVIEW: "Security Metrics", Andrew Jaquith
- BKSECMTR.RVW 20070612
"Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9,
%A Andrew Jaquith
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%G 0-321-34998-9 978-0-321-34998-9
%I Addison-Wesley Publishing Co.
%O U$49.99/C$61.99 fax: 416-443-0948 800-822-6339 bkexpress@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 306 p.
%T "Security Metrics: Replacing Fear, Uncertainty, and Doubt"
In the Foreword, Dan Geer states that the book is not about selling
the idea of metrics. Which makes the initial chapters a bit
problematic: if they aren't about selling the idea of metrics, what
are they about? Chapter one is supposed to be an introduction, but
seems primarily focused on the idea that metrics are not about risk
management. (There is also an assertion that proper metrics are "well
understood across industries, and consistently measured," which is
interesting because much of what follows appears to contradict this
statement.) The definition of security metrics, in chapter two,
addresses metrics from fields other than security, and emphasizes the
position that metrics are important (and that the current "metrics,"
such as checklist frameworks and annualized loss expectancy, are
inadequate). Chapter three divides metrics into four general areas,
dealing with perimeter security, control, availability, and
applications development. Brief examples of collections of metrics
related to these fields are given in the text, although the lists
can't be expected to be comprehensive, due to the huge scope of
security as a whole. The second of these topics, control, is probably
the subject of chapter four, although it is entitled "Measuring
Program Effectiveness." Basic concepts from statistics, such as the
difference between mean (average) and median (midpoint of a set of
elements), are presented in chapter five. Chapter six talks about
demonstrating data in a visual manner. Most of the material consists
of suggestions for graphics and examples are given "redrawing" the
displays of commercial programs. Aspects of automating the
calculations of security metrics are outlined in chapter seven. In
chapter eight, Jaquith recommends the use of a security scorecard
based on the Balanced Scorecard management assessment model.
Security can be difficult to define, let alone measure, and, in
general, too little attention is paid to numeric assessments that can
assist in determining how well we are performing at the task. This
book does go somewhat beyond a mere exhortation to create and use
metrics for security, but it still leaves an awful lot of work for the
practitioner or manager.
copyright Robert M. Slade, 2007 BKSECMTR.RVW 20070612
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Nothing in this world can take the place of persistence. Talent
will not; nothing is more common than unsuccessful people with
talent. Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts.
Persistence and determination alone are omnipotent. The slogan
`press on' has solved and always will solve the problems of the
human race. - Calvin Coolidge