Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement, 1st Edition (Hardback) book cover

Information Security Management Metrics

A Definitive Guide to Effective Security Monitoring and Measurement, 1st Edition

By W. Krag Brotby, CISM

Auerbach Publications

200 pages | 14 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781420052855
pub: 2009-03-30
SAVE ~$19.59
$97.95
$78.36
x
eBook (VitalSource) : 9780429133176
pub: 2009-03-30
from $48.98


FREE Standard Shipping!

Description

Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical.

Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides anyone with security and risk management responsibilities insight into these critical security questions:

  • How secure is my organization?
  • How much security is enough?
  • What are the most cost-effective security solutions?
  • How secure is my organization?
  • You can’t manage what you can’t measure

    This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization’s business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response.

    The book ensures that every facet of security required by an organization is linked to business objectives, and provides metrics to measure it. Case studies effectively demonstrate specific ways that metrics can be implemented across an enterprise to maximize business benefit.

    With three decades of enterprise information security experience, author Krag Brotby presents a workable approach to developing and managing cost-effective enterprise information security.

    Table of Contents

    Introduction

    Governance

    Metrics Overview

    Defining Security

    Is there a solution?

    SECURITY METRICS OVERVIEW

    Metrics and Objectives

    Information Security

    Security

    Why the IT metric focus

    Other assurance functions

    Stakeholders

    SECURITY METRICS

    Security Program Effectiveness

    Types of Metrics

    Information Assurance / Security Metrics Classification

    Monitoring vs. Metrics

    CURRENT STATE OF SECURITY METRICS

    Quantitative Measures and Metrics

    Performance Metrics

    Financial Metrics

    Return on Security Investment (ROSI)

    A new ROSI model

    Security Attribute Evaluation Method (SAEM)

    Cost-Effectiveness Analysis

    Fault Tree Analysis

    Value at Risk (VAR)

    ALE / SLE

    Other Value Metrics

    Limitations of existing approaches

    Qualitative Security Metrics

    Cultural Metrics

    Risk Management through Cultural Theory

    The Competing Values Framework

    Organizational Structure

    WIND

    STORM

    Hybrid Approaches

    Systemic Security Management

    Balanced Scorecard

    The SABSA Business Attributes Approach

    Quality Metrics

    Six Sigma

    ISO 9000

    Quality of Service (QOSS)

    Maturity Level

    Benchmarking

    Standards

    OCTAVE

    METRICS DEVELOPMENTS

    Statistical Modeling

    Phase Transitions in Operational Risk

    Adequate Capital and Stress Testing for Operational Risks

    Functional correlation approach to operational risk in banking organizations

    Systemic Security Management

    Value at Risk Analysis

    Factor Analysis of Information Risk (FAIR)

    Risk Factor Analysis

    Probabilistic Risk Assessment (PRA)

    RELEVANCE

    Problem Inertia

    Correlating Metrics to Consequences

    THE METRICS IMPERATIVE

    Study of ROSI of Security Measures

    Resource Allocation

    Managing without Metrics

    ATTRIBUTES OF GOOD METRICS

    Metrics Objectives

    Measurement Categories

    How can it be measured?

    What is being measured?

    Why is it measured?

    Who are the recipients?

    What does it mean?

    What action is required?

    INFORMATION SECURITY GOVERNANCE

    Security Governance Outcomes

    Defining Security Objectives

    Sherwood Applied Business Security Architecture (SABSA)

    CobiT

    ISO 27001

    Capability Maturity Model

    Metrics and Strategy

    Governance Metrics

    Strategic Alignment

    Risk Management

    Value Delivery

    Resource Management

    Performance Measurement

    Assurance Process Integration (convergence)

    METRICS DEVELOPMENT – A DIFFERENT APPROACH

    Activities Requiring Metrics

    INFORMATION SECURITY GOVERNANCE METRICS

    Strategic Security Governance Decisions

    Strategic Security Governance Decision Metrics

    Security Governance Management Decisions

    Strategic Direction

    Ensuring Objectives are Achieved

    Managing Risks Appropriately

    Using Resources Responsibly

    Security Governance Operational Decisions

    INFORMATION SECURITY RISK MANAGEMENT

    Information Security Risk Management Decisions

    Information Security Risk Management Metrics

    Criticality of assets

    Sensitivity of assets

    The nature and magnitude of impacts

    Vulnerabilities

    Threats

    Probability of Compromise

    Strategic initiatives and plans

    Acceptable levels of risk and impact

    Information Security Operational Risk Metrics

    Internal Fraud

    External Fraud

    Employment Practices and Workplace Safety

    Clients, Products & Business Practice

    Damage to Physical Assets

    Business Disruption & Systems Failures

    Execution, Delivery & Process Management

    INFORMATION SECURITY PROGRAM DEVELOPMENT METRICS

    Program Development Management Metrics

    Program Development Operational Metrics

    INFORMATION SECURITY PROGRAM MANAGEMENT METRICS

    Security Management Decision Support Metrics

    CISO Responsibilities

    CISO Decisions

    Strategic alignment

    Case Study

    Risk Management

    Metrics for Risk Management

    Organizational risk tolerance

    Resource valuation

    Comprehensive risk assessment

    Effectiveness of mitigation efforts

    Assurance Process Integration

    Value Delivery

    Resource Management

    Performance Measurement

    Information Security Management Operational Decision Support Metrics

    IT and Information Security Management

    Compliance Metrics

    Criticality and Sensitivity

    Risk Exposure

    The state of compliance

    Case Study

    Personnel Competence

    Resource adequacy

    Metrics Reliability

    Procedure functionality, efficiency, and appropriateness

    Strategic Performance Measures

    Tactical Performance Measures

    Key Control Effectiveness

    Control Reliability

    Control Failure

    Management Effectiveness

    INCIDENT MANAGEMENT AND RESPONSE

    Incident Management Decision Support Metrics

    CONCLUSIONS

    APPENDIX A. METRICS CLASSIFICATIONS

    IA Program Developmental Metrics

    Support Metrics

    Operational Metrics

    Effectiveness Metrics

    Metrics for Strength Assessment

    Metrics for Features in Normal Circumstances

    Metrics for Features in Abnormal Circumstances

    Metrics for Weakness Assessment

    APPENDIX B. CULTURAL WORLDVIEWS

    Hierarchists

    Egalitarians

    Individualists

    Fatalists

    APPENDIX C. THE COMPETING VALUES FRAMEWORK

    Vertical: Stability/Flexibility

    The Competing Values map

    Hierarchy

    Market

    Adhocracy

    APPENDIX D. THE ORGANIZATION CULTURE ASSESSMENT INSTRUCTION (OCAI)

    APPENDIX E. SABSA BUSINESS ATTRIBUTE METRICS

    APPENDIX F. CAPABILITY MATURITY MODEL

    Subject Categories

    BISAC Subject Codes/Headings:
    BUS073000
    BUSINESS & ECONOMICS / Commerce
    COM032000
    COMPUTERS / Information Technology
    COM053000
    COMPUTERS / Security / General