Gary  Hinson Author of Evaluating Organization Development

Gary Hinson

IsecT Ltd.

I started life as a microbial geneticist many moons ago, but made a career in IT systems/network management, information security, IT auditing, consulting and then technical writing. Today, my day-job involves researching, writing and selling security awareness materials. Writing a book on security metrics took up my evenings and weekends!


After completing a PhD and post-doc in microbial genetics at the University of Leicester, I moved into IT system and network administration for a pharmaceuticals company in Surrey, then information security and IT auditing for a utility in Swindon.  I worked for a specialist information security consultancy in London for a while, mostly in Brussels, then struck out on my own in 2002.  

I came up with the concept of an awareness program tackling a different information security topic each month and launched the NoticeBored subscription service in 2003 (see  

While NoticeBored keeps me very busy, I also run a website and discussion forum for the ISO/IEC 27000-series "ISO27k" standards(   From small beginnings, a group of ISO27k users and fans has grown into a global self-help forum, with a complete spectrum from newbies just thinking about implementing the standards through to serial implementers, certification auditors, consultants and members of the ISO/IEC committee responsible for developing the standards.  

Being a scientist at heart, I have a life-long fascination with measuring and analyzing things.  Applying scientific principles to the management of information security risks has captured my imagination and kept me busy for about two decades.  Working as an IT auditor, I developed a structured audit approach in order to assess information security, risk management, governance, compliance and control practices in a measured way.  My audit work programmes give sufficient precision to be able not just to identify their strengths and weaknesses, but to compare them meaningfully with other clients or business units and share good practices.  The method is repeatable enough to demonstrate progress (or the lack of it!) from year to year with a single client, and flexible enough to incorporate new threats, vulnerabilities and impacts as they emerge.  

Reporting and discussing audits with information security, risk management and compliance professionals, and with senior management, gave me an insight into their rather different perspectives and information needs.  Whereas practitioners are interested in the fine details, managers are concerned with the bigger picture, hence engaging and motivating both groups with essentially the same data set is a difficult challenge, one that led me into metrics.  

A chance encounter with Krag Brotby led to us collaborating on a security metrics book aimed at security practitioners and managers rather than academics.  Previous works in this field (including Krag's!) were mostly  theoretical in style, exploring number theory or management theory as if security metrics was simply a matter of applying statistics to generate graphs.  While numeric accuracy and precision can be important, graphs alone are not sufficient.  What's more, many of the most interesting facets of information security are not readily turned into numbers that can be graphed.  Things such as employees' security awareness levels and security professionals' competence are extremely important factors that are intrinsically difficult to measure scientifically.

Putting a more practical spin on Krag's previous metrics work led to a breakthrough in the PRAGMATIC method, described at length in PRAGMATIC Security Metrics (see  At last we have a sensible way to compare and contrast potential security metrics.   Furthermore, analysing and discussing metrics in this way leads to a much deeper and more meaningful understanding of the information requirements, and can be very creative process.  At last we can break away from the "Use metric X because the data are available" approach, instead creating security metrics that will tell us the things we truly need to know.


    Information security IT audit Governance Compliance Risk management and control Informing and motivating Leadership Innovation

Areas of Research / Professional Expertise

    Cloning and analysing the genes for fimbrial proteins on the surface of enterotoxigenic Escherichia coli responsible for life-threatening diarrhoeal diseases in children and - it turned out - also present on a different strain of E. coli that causes urinary tract infections.

Personal Interests

    All the above - I love my job! My free time is mostly consumed by amateur radio and electronics, or fencing (around the farm - not the sport!). I live on a "lifestyle block" in rural New Zealand, with a few sheep, goats and antennas.



Featured Title
 Featured Title - PRAGMATIC Security Metrics - 1st Edition book cover