to a CISO and immediately his thoughts may well turn to sigmas,
standard deviations and, probably, probability. To many, metrics equals
There’s no denying that proven economic principles can—and should—be
applied to information security investments. At the same time, a bumper
crop of valuable metrics exist that don’t require classes on Nobel
Prize-winning theories or a working knowledge of the Greek alphabet.
You’ve actually already sowed the seeds of these less dense but equally
valuable metrics. They’re sitting in your log files, on your network,
in the brains of your business unit managers, just waiting to be
harvested. You won’t need computational prowess to exploit this crop’s
value, just some legwork and—this is key—the most effective
Here we discuss five such metrics, along with some ways to present them
visually, as imagined by Andrew Jaquith. Jaquith is a cofounder of the
consultancy @stake (which was bought in 2004 by Symantec) and a protégé
of infosecurity guru Dan Geer.
Get the full article in CSO Magazine Online. This is a very good read. I will be using many of his suggestions in future security work.