Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement Hardcover – Mar 30 2009
|New from||Used from|
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
To get the free app, enter your e-mail address or mobile phone number.
About the Author
Enterprise Security Architect, Thousand Oaks, California,
Inside This Book(Learn More)
Most Helpful Customer Reviews on Amazon.com (beta)
The author encourages readers to consider a wide variety of measurement approaches and apply them sensibly to their information security management issues. In addition to conventional information security metrics, the book draws on governance, risk management, financial management and business analysis methods, a more diverse range of approaches than is normally covered in this field. Introducing measures of organization structure and culture sets this security metrics book apart from most others.
Although the writing style is clear, this is a complex subject covered in depth. Being rather theoretical in approach, the book won't suit practitioners simply looking for a short checklist of `security things to measure'. However, those with the interest and time to study Information Security Management Metrics will be rewarded with a deeper and more rounded understanding of the issue. As such, the book is probably of most value to CISOs and ISMs tasked with implementing better security metrics, and to information security management students.
Page. 68, the paragraph and chart on a study of the ROSI of various activities, based on a whitepaper from @Stake. The author provided no interpretation for the chart. The book claims it's based on an analysis of over 600 organisations. And wrote an insightful observation, "These results will undoubtedly be controversial and lead to energetic protests..." The following was what trouble me.
Here is a short version of what the "saving to cost ratio" chart suggests: (1)Screen Locking has a 71.9% effectiveness in improving security; whereas things like (2) Nightly Back-up (only 0.2%) and (3) Central Access Control (0.1%). Firewall, IDS, patches...etc are in between (all below 10%)
Any security professional who saw the chart and read the "insight" would question the findings and probably dig a bit deeper. I did. As it turns out, through a thin connection of mine who knows a guy who knows another guy who used to work for @Stake.
They couldn't find any whitepaper on a ROSI study of 600+ organisations. (Doesn't mean it's not there, but he couldn't find it.)
The cited source of the chart did worked for @Stake for a year or so. However, the chart actually came from the source's PhD thesis while he was an economic graduate at Stanford University. (I am actually reading his paper from my desktop as I type this) I am just going to copy the following verbatim, straight from the PhD thesis... in reference to the "saving to cost ratio" chart,
"The savings were calculated by assuming that each safeguard was implemented in isolation."
So.... how many of you implemented screen saver locking "in isolation" ? or turn on your nightly backup "only" and nothing else as a security measure ? Don't get me wrong, it was actually quite an interesting paper, well worth the read. I believe the paper actually got quite a bit of press coverage when it was first released.
The only thing "controversial" about this is How did the author miss that ? (book author, not the original source)
Two stars for the end of chapters References.
By no means it can be called "a definitive guide ...." It neither provides any ideas on 'monitoring' nor on real 'measurement metrics.'
The index available as free download is misleading. It appears to cover a lot of ground and led me to purchase. However, if Goggling those topics or Wiki on any of those topics will provide more information than the narrative.
I found the "Contents index" more useful than the book itself.
Look for similar items by category
- Books > Business & Investing > Economics
- Books > Business & Investing > Management & Leadership > Leadership
- Books > Business & Investing > Reference > Shopping & Commerce
- Books > Computers & Technology > Certification Central > Exams > Security+
- Books > Computers & Technology > Computer Science > Software Engineering > Information Systems
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Professional & Technical > Accounting & Finance > Economics
- Books > Professional & Technical > Business Management > Management & Leadership > Leadership