Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Security Metrics", Andrew Jaquith

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSECMTR.RVW 20070612 Security Metrics , Andrew Jaquith, 2007, 0-321-34998-9, U$49.99/C$61.99 %A Andrew Jaquith %C P.O. Box 520, 26 Prince Andrew Place,
    Message 1 of 1 , Aug 29, 2007
      BKSECMTR.RVW 20070612

      "Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9,
      %A Andrew Jaquith
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2007
      %G 0-321-34998-9 978-0-321-34998-9
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$61.99 fax: 416-443-0948 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321349989/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321349989/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 306 p.
      %T "Security Metrics: Replacing Fear, Uncertainty, and Doubt"

      In the Foreword, Dan Geer states that the book is not about selling
      the idea of metrics. Which makes the initial chapters a bit
      problematic: if they aren't about selling the idea of metrics, what
      are they about? Chapter one is supposed to be an introduction, but
      seems primarily focused on the idea that metrics are not about risk
      management. (There is also an assertion that proper metrics are "well
      understood across industries, and consistently measured," which is
      interesting because much of what follows appears to contradict this
      statement.) The definition of security metrics, in chapter two,
      addresses metrics from fields other than security, and emphasizes the
      position that metrics are important (and that the current "metrics,"
      such as checklist frameworks and annualized loss expectancy, are
      inadequate). Chapter three divides metrics into four general areas,
      dealing with perimeter security, control, availability, and
      applications development. Brief examples of collections of metrics
      related to these fields are given in the text, although the lists
      can't be expected to be comprehensive, due to the huge scope of
      security as a whole. The second of these topics, control, is probably
      the subject of chapter four, although it is entitled "Measuring
      Program Effectiveness." Basic concepts from statistics, such as the
      difference between mean (average) and median (midpoint of a set of
      elements), are presented in chapter five. Chapter six talks about
      demonstrating data in a visual manner. Most of the material consists
      of suggestions for graphics and examples are given "redrawing" the
      displays of commercial programs. Aspects of automating the
      calculations of security metrics are outlined in chapter seven. In
      chapter eight, Jaquith recommends the use of a security scorecard
      based on the Balanced Scorecard management assessment model.

      Security can be difficult to define, let alone measure, and, in
      general, too little attention is paid to numeric assessments that can
      assist in determining how well we are performing at the task. This
      book does go somewhat beyond a mere exhortation to create and use
      metrics for security, but it still leaves an awful lot of work for the
      practitioner or manager.

      copyright Robert M. Slade, 2007 BKSECMTR.RVW 20070612

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Nothing in this world can take the place of persistence. Talent
      will not; nothing is more common than unsuccessful people with
      talent. Genius will not; unrewarded genius is almost a proverb.
      Education will not; the world is full of educated derelicts.
      Persistence and determination alone are omnipotent. The slogan
      `press on' has solved and always will solve the problems of the
      human race. - Calvin Coolidge
    Your message has been successfully submitted and would be delivered to recipients shortly.