NMON Network Monitoring: Books: Security Metrics: Replacing Fear, Uncertainty, and Doubt

Author: Andrew Jaquith
Publisher: Addison-Wesley Professional
Category: Book

List Price: ~~$49.99~~
Buy New: $31.03
You Save: $18.96 (38%)
Buy New/Used from $31.03

Avg. Customer Rating: 4.5 out of 5 stars

(18 reviews)
Sales Rank: 18826

Media: Paperback
Edition: 1
Number Of Items: 1
Pages: 336
Shipping Weight (lbs): 1.1
Dimensions (in): 8.9 x 7 x 0.8

ISBN: 0321349989
Dewey Decimal Number: 658.47015195
EAN: 9780321349989
ASIN: 0321349989

Publication Date: April 5, 2007
Availability: Usually ships in 1-2 business days

Similar Items:

•	Security Data Visualization: Graphical Techniques for Network Analysis
•	Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI
•	The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
•	Enterprise Security Architecture: A Business-Driven Approach
•	The New School of Information Security

Editorial Reviews:

Product Description
<>The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.

Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

Security Metrics successfully bridges management’s quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith’s extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You’ll learn how to:

• Replace nonstop crisis response with a systematic approach to security improvement

• Understand the differences between “good” and “bad” metrics

• Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk

• Quantify the effectiveness of security acquisition, implementation, and other program activities

• Organize, aggregate, and analyze your data to bring out key insights

• Use visualization to understand and communicate security issues more clearly

• Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources

• Implement balanced scorecards that present compact, holistic views of organizational security effectiveness

Whether you’re an engineer or consultant responsible for security and reporting to management–or an executive who needs better information for decision-making–Security Metrics is the resource you have been searching for.

Andrew Jaquith, program manager for Yankee Group’s Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist.

Foreword

Preface

Acknowledgments

About the Author

Chapter 1 Introduction: Escaping the Hamster Wheel of Pain

Chapter 2 Defining Security Metrics

Chapter 3 Diagnosing Problems and Measuring Technical Security

Chapter 4 Measuring Program Effectiveness

Chapter 5 Analysis Techniques

Chapter 6 Visualization

Chapter 7 Automating Metrics Calculations

Chapter 8 Designing Security Scorecards

Index

Customer Reviews: Read 13 more reviews...

4 out of 5 stars

Good resource for infosec professionals June 14, 2008
Nutshell review - This is a great book on security metrics. Practical, applicable, well written, well presented and will serve as an excellent resource for security professionals.

5 out of 5 stars

A necessary paradigm shift for information security December 2, 2007
Upon completion of this book, I began to muse: what percentage of security professionals have given any thought to security metrics? For those that have actually considered the topic, with what level of frequency do they entertain thoughts of security metrics? Yearly? Monthly? Daily? Gee, I think to myself, I'd like to see a time series analysis exhibit of that...

Based on the fact that I sit here torturing myself with these thoughts, I contend that Security Metrics has already influenced my approach toward security management. Indeed, Jaquith has done an excellent job of exposing an area that is critical to effective security management, but to which many security practitioners (myself included) have previously paid lip service. Security Metrics offers valuable insight to organizations seeking to provide a greater level of intelligence and meaning around their security program(s).

In addition to how well the ideas of the book resonated with my own professional and academic background, the choice to give a 5 star rating was based on its organization, readability, entertaining quips, and the fact that many of the alternative publications in the realm of security metrics are triple or more the cost of this one. Though I've not yet read or reviewed other similar works, the bar has been set high.

5 out of 5 stars

Every security professional (or wannabe) should read this book September 21, 2007
2 out of 2 found this review helpful

I'm not sure what I can write to sway you to buy or read the book if 5 star reviews from Ben Rothke and Richard Bejtlich don't sway you but I'll throw my likes and dislikes in here anyway. I'm not a "metrics guy" in fact, I'm still not , but I do think the book puts the concept of using them into perspective for the person that may not use any metrics in their security work.

I've been summing up the book to people at work by using the example (and I'll badly paraphrase) from the book of "if your spam gateway blocks 100,000 spam messages a day is that a good metric?" Initially you may say yes, that is a good metric. In fact most people at work said the same thing. But, as the author explains it is a poor metric. Better metrics are useful percentages like the percentage of missed spam or the percentage of false positives. Saying that 100,000 spam message are being stopped only tells us that you have a ton of spam on your network.

Some of the things I liked about the book were the author's discussions on how to make charts more readable and efficient at portraying information. I had to read the Tufte books in college and have to admit that I got more out of chapter 6 (visualization) than I feel I learned that whole semester of class. Chapter 2 discussing what makes good metrics was extremely useful, as well were chapters 3 & 4 because they gave good examples of metrics you can use to measure an organizations various defenses like perimeter security or application security. The discussion of using COBIT, ITIL and Security Frameworks in Chapter 4 was also good.

I only had two minor gripes. First was that toward the end of the book the author talks about colors of slides and charts which obviously doesn't do us any good since the book is in black and white and second, that he does use some big words throughout the book and I did find myself having to go back and reread things. Could he have put it into simpler terms, probably, but that doesn't make the book bad, just means I need to work on my vocab :-)

Overall it was a good entrance to the world of security metrics for me and took and away some of the perceived boredom of them. It definitely gave me some tools to look more critically at the numbers and stats that some of the vendors throw our way as well as how to deliver data and information in a more useful matter.

5 out of 5 stars

I liked it better than Cats! September 19, 2007
0 out of 3 found this review helpful

What a book. Seriously, I laughed, I cried. I shouted in frustration, only to be placated on the next page. I got a better understanding of what Andy has been banging on about with Security Metrics. And it helps me do my job better.

3 out of 5 stars

Excellent info; too much nerd-speak September 6, 2007
0 out of 4 found this review helpful

As the other reviewers state, the information in this book is very valuable and would be an asset to any information security professional, particularly those of us involved in reporting metrics.

My only complaint is the author's writing style. He uses too much nerd-speak. By that I mean his sentences use a lot of giant, impressive-sounding words and jargon when he could say the same thing using simpler, day-to-day english. Because of that, the book was a difficult read for me. I had to re-read many parts to make sure I understood what the author was saying.

I'm at work now and don't have the book with me. I'll update this review later with some examples.

For your safety and security, orders are processed through amazon.com