richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

removed emoji from filenames, Obsidian changed all relevant links

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-07 15:01:04 +02:00
parent d316285a74
commit 68f1c38681
638 changed files with 710 additions and 3176 deletions
Download patch file Download diff file Expand all files Collapse all files

30
Corpus/Literature notes/InfoSec Metrics.md Normal file
View file

@ -0,0 +1,30 @@
---
tags:
- metrics
---
[Security Metrics by Andrew Jaquith 2007](Security%20Metrics%20by%20Andrew%20Jaquith%202007.md)
[Security Metrics that Count for Twilio](Security%20Metrics%20that%20Count%20%20for%20Twilio.md)
[Austin Songer's List of Information Security Metrics to Track](https://songer.pro/list-of-information-security-metrics-to-track/)
CISSP study guide (p. 88).:
When a countermeasure or safeguard is implemented, security metrics should show a reduction in unwanted occurrences or an increase in the detection of attempts. Otherwise, the security mechanism is not providing the expected benefit. The act of measuring and evaluating security metrics is the practice of assessing the completeness and effectiveness of the security program. This should also include measuring it against common security guidelines and tracking the success of its controls.
Choosing to monitor or measure something the security staff has little control over or that is based on external drivers, can cause significant problems.
W. Krag Brotby and Gary Hinson (PRAGMATIC Security Metrics, 2013) state metrics should be:
- Predictive: They help us deal with situations, make decisions and improve things for the future;
- Relevant: To the subject matter i.e. information security, governance, risk, compliance, control ...;
- Actionable: They tell us things that we can actually do something about, apart from saying “Oh thats nice”!;
- Genuine: The numbers are fact-based and cannot easily be faked or manipulated for some hidden agenda;
- Meaningful: To the intended audience/s, without creating a lot of head-scratching and hand-waving;
- Accurate: Sufficiently true and precise to allow proportional control (not just stop/go but how fast?);
- Timely: Security is a dynamic area, so we need up-to-date information at the point decisions have to be made;
- Independent: Measured dispassionately and objectively, based on verifiable evidence; and
- Cost-effective: Generate more value than they cost to gather, analyze, present and use.
![](PRAGMATIC_security_metrics_examples.xlsx)
Standards and Frameworks:
- [ISO 27004](../Standards/ISO27x/ISO%2027004.md)