Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI, 1st Edition (Hardback) book cover

Complete Guide to Security and Privacy Metrics

Measuring Regulatory Compliance, Operational Resilience, and ROI, 1st Edition

By Debra S. Herrmann

Auerbach Publications

848 pages | 28 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849354021
pub: 2007-01-22
eBook (VitalSource) : 9780429134722
pub: 2007-01-22
from $108.00

FREE Standard Shipping!


While it has become increasingly apparent that individuals and organizations need a security metrics program, it has been exceedingly difficult to define exactly what that means in a given situation. There are hundreds of metrics to choose from and an organization’s mission, industry, and size will affect the nature and scope of the task as well as the metrics and combinations of metrics appropriate to accomplish it. Finding the correct formula for a specific scenario calls for a clear concise guide with which to navigate this sea of information.

Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI defines more than 900 ready to use metrics that measure compliance, resiliency, and return on investment. The author explains what needs to be measured, why and how to measure it, and how to tie security and privacy metrics to business goals and objectives. The book addresses measuring compliance with current legislation, regulations, and standards in the US, EC, and Canada including Sarbanes-Oxley, HIPAA, and the Data Protection Act-UK. The metrics covered are scaled by information sensitivity, asset criticality, and risk, and aligned to correspond with different lateral and hierarchical functions within an organization. They are flexible in terms of measurement boundaries and can be implemented individually or in combination to assess a single security control, system, network, region, or the entire enterprise at any point in the security engineering lifecycle. The text includes numerous examples and sample reports to illustrate these concepts and stresses a complete assessment by evaluating the interaction and interdependence between physical, personnel, IT, and operational security controls.

Bringing a wealth of complex information into comprehensible focus, this book is ideal for corporate officers, security managers, internal and independent auditors, and system developers and integrators.


"Provides valuable directions on how measurement works and what goes into producing a useful metric. … when faced with the necessity of developing a metrics program to measure the effectiveness of some aspect of your security efforts, this rather imposing tome is one I would recommend as a way to jumpstart your efforts. The master table in the introduction provides a quick guide to the particular section most relevant to the reader’s need …”

— Richard Austin, in IEEE Cipher, June 2007

"… a useful reference for individuals who must meet the challenge of selecting good metrics."

—Cheryl Washington, Information Security Officer, California State University, in Educause Quarterly

Table of Contents





How to Get the Most Out of This Book


The “Whats” and “Whys” of Metrics

Measurement Basics

Data Collection and Validation

Defining Measurement Boundaries

Whose Metrics?

Uses and Limits of Metrics

Avoiding the Temptation to Bury Your Organization in Metrics

Relation to Risk Management

Examples from Reliability Engineering

Examples from Safety Engineering

Examples from Software Engineering

The Universe of Security and Privacy Metrics

Measuring Compliance with Security and Privacy Regulations and Standards

Financial Industry

Gramm-Leach-Bliley (GLB) Act — United States

Sarbanes-Oxley Act — United States


Health Insurance Portability And Accountability Act (HIPAA) — United States

Personal Health Information Act (PHIA) — Canada

Personal Privacy

Organization for Economic Cooperation and Development (OECD) Privacy, Cryptography, and Security Guidelines

Data Protection Directive — E.C.

Data Protection Act — United Kingdom

Personal Information Protection And Electronic Documents Act (PIPEDA) — Canada

Privacy Act — United States

Homeland Security

Federal Information Security Management Act (FISMA) — United States

Homeland Security Presidential Directives (HSPDs) — United States

North American Electrical Reliability Council (NERC) Cyber Security Standards

The Patriot Act — United States

Measuring Resilience of Physical, Personnel, IT, and Operational Security Controls

Physical Security

Personnel Security

IT Security

Operational Security

Measuring Return on Investment (ROI) in Physical, Personnel, IT, and Operational Security Controls

Security ROI Model

Security ROI Primitives, Metrics, and Reports


A Glossary of Terms, Acronyms, and Abbreviations

B Additional Resources:





Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General