Search
 Advanced SearchView Cart   Checkout   
 Location:  Home » Books » General AAS » Security Metrics: Replacing Fear, Uncertainty, and DoubtDecember 2, 2008  
Browse
Books
Computers
Electronics
Related Categories
• General AAS
Computer Science
New & Used Textbooks
Custom Stores
Specialty Stores
• General AAS
New & Used Textbooks
Custom Stores
Specialty Stores
Books
• General AAS
Qualifying Textbooks
Custom Stores
Specialty Stores
Books
• General
E-commerce
Industries & Professions
Business & Investing
Subjects
• General AAS
E-commerce
Industries & Professions
Business & Investing
Subjects
• General AAS
Internet
Home Computing
Computers & Internet
Subjects
• Privacy
Business & Culture
Computers & Internet
Subjects
Books
• Security+
Exams
Certification Central
Computers & Internet
Subjects
• Network Security
Networking
Computers & Internet
Subjects
Books
• General
Programming
Computers & Internet
Subjects
Books
• General AAS
Programming
Computers & Internet
Subjects
Books
• General
Software
Computers & Internet
Subjects
Books
• General AAS
Software
Computers & Internet
Subjects
Books
• Encryption
Security & Encryption
Web Development
Computers & Internet
Subjects
• General AAS
Security & Encryption
Web Development
Computers & Internet
Subjects
• General
Computers & Internet
Subjects
Books
• General AAS
Computers & Internet
Subjects
Books
• Paperback
Binding (binding)
Refinements
Books
• Printed Books
Format (feature_browse-bin)
Refinements
Books
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Author: Andrew Jaquith
Publisher: Addison-Wesley Professional
Category: Book

List Price: $49.99
Buy New: $29.59
You Save: $20.40 (41%)
Buy New/Used from $26.95

Avg. Customer Rating: 4.5 out of 5 stars(19 reviews)
Sales Rank: 40406

Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Edition: 1
Number Of Items: 1
Pages: 336
Shipping Weight (lbs): 1.1
Dimensions (in): 8.9 x 7 x 0.8

ISBN: 0321349989
Dewey Decimal Number: 658.47015195
EAN: 9780321349989
ASIN: 0321349989

Publication Date: April 5, 2007
Availability: Usually ships in 1-2 business days
Customer Reviews:
Showing reviews 6-10 of 19
 « PREV  
1 2 3 4
  NEXT »

3 out of 5 stars Excellent info; too much nerd-speak   September 6, 2007
  2 out of 7 found this review helpful

As the other reviewers state, the information in this book is very valuable and would be an asset to any information security professional, particularly those of us involved in reporting metrics.

My only complaint is the author's writing style. He uses too much nerd-speak. By that I mean his sentences use a lot of giant, impressive-sounding words and jargon when he could say the same thing using simpler, day-to-day english. Because of that, the book was a difficult read for me. I had to re-read many parts to make sure I understood what the author was saying.

I'm at work now and don't have the book with me. I'll update this review later with some examples.


5 out of 5 stars Security Metrics: Replacing Fear, Undertainty & Doubt   August 24, 2007
  0 out of 2 found this review helpful

The book is an excellent resource for the security professional who is interested in implementing a strong industrial security program with measures that can assess its effectiveness. I highly recommend it.


5 out of 5 stars A ground-breaking book that all security managers should read   August 9, 2007
  23 out of 23 found this review helpful

I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.

Fortunately, Security Metrics offers another solution. The book gives readers three sets of information: theory, metrics, and tools (concepts, not programs). The theory chapters (1 and 2) were so concise yet insightful I was tempted to underline every sentence. (I am not kidding.) Even the Preface made me glad to be reading the book when it associated "security ROI" with "the Macarena" and called it a "needless distraction." I laughed in agreement when I saw Andy call "security enablement" the "Abominable Snowman: it is rarely spotted, but legions of people swear it exists. After all, as my friend Dan geer puts it, 'You don't usually see airlines advertising how their planes fall out of the sky less often than their competitors.'" Why is that? My answer is simple: security is assumed and expected. Advertising anything else has no effect or makes people suspicious. I knew this book would be good.

The metrics chapters probably list hundreds of metrics you can extract verbatim and apply to your own environment. To the reviewer who wanted to reprint them in an appendix: they're called chapters 3 and 4. My main concern with the metrics was the focus on input-centric measurements instead of results. I would have liked to read more metrics on measuring whether security programs are working, rather than what techniques and tools are applied up front.

The tools chapters were helpful to anyone needing a statistics refresher. The visualization sections were especially helpful. (Feel free to dismiss yet another ignorant review from WB, who thinks a "review" means writing a few paragraphs after flipping through the pages of five books a day.) Andy's examples of turning lousy graphs and charts into information visualization vehicles should be followed by all managers.

Security Metrics is strengthened by the many stories from the author's consulting experience. I sensed that his techniques work and are not the product of the thought laboratory alone. I found his "Balanced Scorecard" approach to be interesting, especially to the degree it ties real metrics to business operations.

I had a few issues with terminology, such as using the term "threats" on p 231 when "attacks" is more accurate. (The football analogy is correct, however.) I semi-agreed with the author's suggestion to abandon "risk management" in favor of metrics-based approaches, but I didn't think two pages (4-5) were really enough to make the case. On p 264, threats are not risks, but they help instantiate risks. On pp 78-7, "risk of exploit" should be "ease of exploitation."

These are minor concerns, given the overwhelming concentration of practical and implementation-worthy pieces of information in Security Metrics. You must read this book if you care to measure security progress. Now we need Dan Geer to extend beyond writing wise forewords and articles into the world of his own book!


5 out of 5 stars Chicken Soup for the CISO's Soul   August 3, 2007
  1 out of 1 found this review helpful

All killer no filler. Jaquith provides new directions in a field, information security, that sorely needs them. In a sea of Infosec books this one stands out -a fresh approach too an important yet misunderstood topic; a focus on how to communicate which is a key to success; and using numbers to amplify decision support process.

Simply put, Security Metrics is a cookbook of ideas and you can pick up any chapter, read it, and get actionable ideas on how to improve your decision making in your security organization. The book begins by neatly encapsulating the flailing efforts seen in many enterprise infosec groups, which Jaquith dubs the "Hamster Wheel of Pain" aka ignorance is bliss. Set against this all too common problem statement are security metrics, which Jaquith proposes to measure if your security is getting better.

There are of course more than one way to approach security measurement. Jaquith looks at two - Measurers and Modelers. Measurers look at empirical data, correlation, essential practices, economic spending and before and after views. Modelers are more concerned with risk equations, loss expectancy, attack surfaces, and why questions. Most of the book is focused on a measurers approach so we don't get to see a grand overarching model. On the plus side we do get lots of metrics recipes that can be plugged and used in a real world infosec program.

Probably the best chapter for the uninitated is chapter 2 Defining a Good Security Metric which summarizes these rules for good security metrics - Consistently Measured, Cheap to gather, Expressed as a cardinal number, Expressed using at least one unit of measure. The chapter is equally useful in describing what metrics are not, explicitly excludes infosec sacred cows audit metrics like ISO 17799 and Annual Loss Expectancy. If you are going to send a message to the rest of the hurd, you have to be prepared to shoot some of the lead buffale. Thank you, Mr. Jaquith.

Chapters 3 & 4 are where the cookbook comes together with a large number of detailed metrics recipes for measuring aspects of network security, host security, application security and so on. This is the "take this back to your desk and start working on this part" stuff. Chapter 5 presents a good overview of measurement analysis techniques so that you can better understand that which you just gathered. Useful again, because we are now in the realm of using numbers to better understand security instead of mere axiom.

The last part of the book is very important for enterprise infosec because it deals with scorecards and visualization, my partner Pat Christiansen likes to say the architecture is 50% technical ability and 50% communication. These chapters provide some Tufte-esque approaches to communicating the findings to different security stakeholders types with ideas for facilitating communication up, down, and across the organization.

This is really a good book for anyone in IT to demystify the fud-laden world of IT security. If you work in security it is a must read. If you manage a security group, I recommend buying a copy for everyone on your staff, wait 2-4 weeks, and come back ask where the heck are all the decision support metrics?


4 out of 5 stars introductory discussion of stats and visualisation   May 31, 2007
  1 out of 3 found this review helpful

The advocacy of metrics in the book involves the search for objective metrics. That is, these could be used by different people or organisations, and yet arrive at the same results. Various metrics are suggested. You might well devise your own, based on the book's examples.

A chapter is devoted to analysis techniques. Frankly, it is quite rudimentary. Any statistician would be deeply unimpressed. It devotes space to defining mean and median, for example. Yes, it does go onto describing (slightly) more involved methods. Notably a correlation matrix. You should treat this chapter as just a jumping off point into statistics.

The next chapter talks about visualisation. It's not bad. Jaquith refers to Tufte's classic works on effective graphical displays. Basically, the chapter is a good summary of those books. One example is how not to use the default 3d effect in bar graphs, that often comes in packages like Microsoft Office or Open Office. This is where you are displaying one variable against another. But the graphics software can plot the bars in a 3d manner. When there is no third variable. Totally useless. The book recommends, correctly, to adhere to a strict 2d display. Much clearer. For those of you who don't want to read Tufte's works, the chapter conveys the essence.

Powered by: Dknc, inc. and Amazon.com


For your safety and security, orders are processed through amazon.com