- ISBN: 9781420052855 | 1420052853
- Cover: Hardcover
- Copyright: 3/30/2009
Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and even more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical.
| Acknowledgments | p. xi |
| Introduction | p. xiii |
| Security Metrics Overview | p. 1 |
| Metrics and Objectives | p. 4 |
| Information Security | p. 7 |
| IT Security | p. 8 |
| Why the IT Metric Focus | p. 8 |
| Other Assurance Functions | p. 8 |
| Stakeholders | p. 10 |
| Endnotes | p. 10 |
| Security Metrics | p. 13 |
| Security Program Effectiveness | p. 14 |
| Types of Metrics | p. 15 |
| Information Assurance / Security Metrics Classification | p. 17 |
| Monitoring vs. Metrics | p. 18 |
| Endnotes | p. 18 |
| Current State of Security Metrics | p. 21 |
| Quantitative Measures and Metrics | p. 21 |
| Performance Metrics | p. 21 |
| Discussion | p. 25 |
| Financial Metrics | p. 25 |
| Return on Investment (ROI) | p. 26 |
| Payback Method | p. 26 |
| ROI Calculation | p. 27 |
| NPV | p. 29 |
| IRR | p. 29 |
| Return on Security Investment (ROSI) | p. 30 |
| SLE and ALE | p. 30 |
| ROSI | p. 31 |
| A New ROSI Model | p. 31 |
| A More Complex Security ROI | p. 32 |
| Security Attribute Evaluation Method (SAEM) | p. 35 |
| Cost-Effectiveness Analysis | p. 35 |
| Cost-Benefit Analysis | p. 36 |
| Fault Tree Analysis | p. 36 |
| Value at Risk (VAR) | p. 37 |
| ALE/SLE | p. 37 |
| Qualitative Security Metrics | p. 38 |
| Cultural Metrics | p. 39 |
| Risk Management through Cultural Theory | p. 39 |
| The Competing Values Framework | p. 40 |
| Organizational Structure | p. 42 |
| Hybrid Approaches | p. 43 |
| Systemic Security Management | p. 43 |
| Balanced Scorecard | p. 44 |
| The SABSA Business Attributes Approach | p. 46 |
| Quality Metrics | p. 48 |
| Six Sigma | p. 48 |
| ISO 9000 | p. 49 |
| Maturity Level | p. 49 |
| Benchmarking | p. 50 |
| Standards | p. 50 |
| OCTAVE | p. 51 |
| Endnotes | p. 51 |
| Metrics Developments | p. 53 |
| Statistical Modeling | p. 54 |
| Systemic Security Management | p. 55 |
| Value at Risk Analysis | p. 56 |
| Factor Analysis of Information Risk (FAIR) | p. 57 |
| Risk Factor Analysis | p. 58 |
| Probabilistic Risk Assessment (PRA) | p. 58 |
| Endnotes | p. 61 |
| Relevance | p. 63 |
| Problem Inertia | p. 64 |
| Correlating Metrics to Consequences | p. 64 |
| The Metrics Imperative | p. 67 |
| Study of ROSI of Security Measures | p. 68 |
| Resource Allocation | p. 69 |
| Managing without Metrics | p. 70 |
| Endnotes | p. 71 |
| Attributes of Good Metrics | p. 73 |
| Metrics Objectives | p. 75 |
| Measurement Categories | p. 75 |
| Effective Metrics | p. 77 |
| What Is Being Measured? | p. 79 |
| Why Is It Measured? | p. 80 |
| Who Are the Recipients? | p. 81 |
| What Does It Mean? | p. 81 |
| What Action Is Required? | p. 81 |
| Information Security Governance | p. 83 |
| Security Governance Outcomes | p. 84 |
| Defining Security Objectives | p. 85 |
| Sherwood Applied Business Security Architecture (SABSA) | p. 86 |
| CobiT | p. 86 |
| ISO 27001 | p. 89 |
| Capability Maturity Model | p. 90 |
| Current State | p. 91 |
| Information Security Strategy | p. 91 |
| Endnotes | p. 92 |
| Metrics Development-A Different Approach | p. 93 |
| The Information Security Manager | p. 94 |
| Activities Requiring Metrics | p. 96 |
| Criticality and Sensitivity | p. 97 |
| Degree of Risk or Potential Impact | p. 97 |
| Risk over Time | p. 97 |
| Options and Cost-Effectiveness | p. 97 |
| Ranking Metrics and Monitoring Requirements | p. 98 |
| Monitoring, Measures, or Metrics? | p. 98 |
| Information Security Governance Metrics | p. 101 |
| Strategic Security Governance Decisions | p. 101 |
| Strategic Security Governance Decision Metrics | p. 102 |
| Security Governance Management Decisions | p. 103 |
| Strategic Direction | p. 103 |
| Ensuring Objectives Are Achieved | p. 104 |
| Managing Risks Appropriately | p. 104 |
| Using Resources Responsibly | p. 105 |
| Security Governance Operational Decisions | p. 105 |
| Information Security Risk Management | p. 107 |
| Information Security Risk Management Decisions | p. 108 |
| Management Requirements for Information Security Risk | p. 109 |
| Criticality of Assets | p. 109 |
| Sensitivity of Assets | p. 110 |
| The Nature and Magnitude of Impacts | p. 110 |
| Vulnerabilities | p. 110 |
| Threats | p. 111 |
| Probability of Compromise | p. 111 |
| Strategic Initiatives and Plans | p. 111 |
| Acceptable Levels of Risk and Impact | p. 112 |
| Information Security Operational Risk Metrics | p. 112 |
| Information Security Program Development Metrics | p. 115 |
| Program Development Management Metrics | p. 116 |
| Program Development Operational Metrics | p. 117 |
| Information Security Management Metrics | p. 119 |
| Security Management Decision Support Metrics | p. 120 |
| Security Management Decisions | p. 122 |
| Strategic Alignment | p. 123 |
| Risk Management | p. 125 |
| Metrics for Risk Management | p. 126 |
| Assurance Process Integration | p. 132 |
| Value Delivery | p. 134 |
| Resource Management | p. 136 |
| Performance Measurement | p. 136 |
| Information Security Management Operational Decision Support Metrics | p. 137 |
| IT and Information Security Management | p. 137 |
| Compliance Metrics | p. 138 |
| Endnotes | p. 147 |
| Incident Management and Response | p. 149 |
| Incident Management Decision Support Metrics | p. 150 |
| Is It Actually an Incident? | p. 150 |
| What Kind of Incident Is It? | p. 151 |
| Is It a Security Incident? | p. 151 |
| What Is the Severity Level? | p. 151 |
| Are There Multiple Events and/or Impacts? | p. 152 |
| Will an Incident Need Triage? | p. 152 |
| What Is the Most Effective Response? | p. 152 |
| What Immediate Actions Must be Taken? | p. 153 |
| Which Incident Response Teams and Other Personnel Must be Mobilized? | p. 153 |
| Who Must be Notified? | p. 153 |
| Who Is in Charge? | p. 153 |
| Is It Becoming a Disaster? | p. 153 |
| Conclusions | p. 155 |
| Predictive Metrics | p. 155 |
| Acronyms | p. 157 |
| Metrics Classifications | p. 165 |
| IA Program Developmental Metrics | p. 165 |
| Policy Management Metrics | p. 165 |
| Process Maturity Metrics | p. 165 |
| Support Metrics | p. 166 |
| Personnel Support Metrics | p. 166 |
| Resource Support Metrics | p. 166 |
| Operational Metrics | p. 166 |
| Operational Readiness Metrics | p. 166 |
| Management Readiness Metrics | p. 167 |
| Technical Readiness Metrics | p. 167 |
| Operational Practice Metrics | p. 167 |
| Operational Environment Metrics | p. 167 |
| Effectiveness Metrics | p. 168 |
| Metrics for Technical Target of Assessment (TTOA) | p. 168 |
| Metrics for Strength Assessment | p. 168 |
| Metrics for Weakness Assessment | p. 169 |
| Acknowledgments | p. 170 |
| Endnotes | p. 170 |
| References | p. 170 |
| Cultural Worldviews | p. 171 |
| Endnotes | p. 173 |
| The Competing Values Framework | p. 175 |
| Cultural Dimensions | p. 175 |
| Horizontal: In/Out | p. 175 |
| Vertical: Stability/Flexibility | p. 175 |
| The Competing Values Map | p. 175 |
| Hierarchy | p. 176 |
| Market | p. 176 |
| Clan | p. 176 |
| Adhocracy | p. 177 |
| The Organization Culture Assessment Instrument (OCAI) | p. 179 |
| SABSA Business Attribute Metrics | p. 181 |
| Endnotes | p. 200 |
| Capability Maturity Model | p. 201 |
| Initial | p. 201 |
| Repeatable | p. 201 |
| Defined | p. 202 |
| Managed | p. 202 |
| Optimizing | p. 202 |
| Probabilistic Risk Assessment | p. 205 |
| What Is Probabilistic Risk Assessment? | p. 205 |
| What Are the Benefits of PRA? | p. 207 |
| Index | p. 211 |
| Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Please wait while the item is added to your bag...
×
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.