| Description |
xxvii, 368 pages : illustrations ; 23 cm |
| Contents |
Machine generated contents note: pt. I Introducing Security Metrics -- 1.What Is a Security Metric? -- Metrics and Measurement -- Metrics Are a Result -- Measurement Is an Activity -- Security Metrics Today -- Risk -- Security Vulnerability and Incident Statistics -- Annualized Loss Expectancy -- Return on Investment -- Total Cost of Ownership -- The Dissatisfying State of Security Metrics: Lessons from Other Industries -- Insurance -- Manufacturing -- Design -- Reassessing Our Ideas About Security Metrics -- Thinking Locally -- Thinking Analytically -- Thinking Ahead -- Summary -- Further Reading -- 2.Designing Effective Security Metrics -- Choosing Good Metrics -- Defining Metrics and Measurement -- Nothing Either Good or Bad, but Thinking Makes It So -- What Do You Want to Know? -- Observe! -- GQM for Better Security Metrics -- What Is GQM? -- Setting Goals -- Asking Questions -- Assigning Metrics -- Putting It All Together -- The Metrics Catalog -- |
|
Contents note continued: More Security Uses for GQM -- Measuring Security Operations -- Measuring Compliance to a Regulation or Standard -- Measuring People and Culture -- Applying GQM to Your Own Security Measurements -- Summary -- Further Reading -- 3.Understanding Data -- What Are Data? -- Definitions of Data -- Data Types -- Data Sources for Security Metrics -- System Data -- Process Data -- Documentary Data -- People Data -- We Have Metrics and Data---Now What? -- Summary -- Further Reading -- Case Study 1 In Search of Enterprise Metrics -- Scenario One Our New Vulnerability Management Program -- Scenario Two Who's on First? -- Scenario Three The Value of a Slide -- Scenario Four The Monitoring Program -- Scenario Five What Cost, the Truth? -- Summary -- pt. II Implementing Security Metrics -- 4.The Security Process Management Framework -- Managing Security as a Business Process -- Defining a Business Process -- Security Processes -- Process Management over Time -- |
|
Contents note continued: The SPM Framework -- Security Metrics -- Security Measurement Projects -- The Security Improvement Program -- Security Process Management -- Before You Begin SPM -- Getting Buy-in: Where's the Forest? -- The Security Research Program -- Summary -- Further Reading -- 5.Analyzing Security Metrics Data -- The Most Important Step -- Reasons for Analysis -- What Do You Want to Accomplish? -- Preparing for Data Analysis -- Analysis Tools and Techniques -- Descriptive Statistics -- Inferential Statistics -- Other Statistical Techniques -- Qualitative and Mixed Method Analysis -- Summary -- Further Reading -- 6.Designing the Security Measurement Project -- Before the Project Begins -- Project Prerequisites -- Deciding on a Project Type -- Tying Projects Together -- Getting Buy-in and Resources -- Phase One Build a Project Plan and Assemble the Team -- The Project Plan -- The Project Team -- Phase Two Gather the Metrics Data -- Collecting Metrics Data -- |
|
Contents note continued: Storing and Protecting Metrics Data -- Phase Three Analyze the Metrics Data and Build Conclusions -- Phase Four Present the Results -- Textual Presentations -- Visual Presentations -- Disseminating the Results -- Phase Five Reuse the Results -- Project Management Tools -- Summary -- Further Reading -- Case Study 2 Normalizing Tool Data in a Security Posture Assessment -- Background: Overview of the SPA Service -- SPA Tools -- Data Structures -- Objectives of the Case Study -- Methodology -- Challenges -- Summary -- pt. III Exploring Security Measurement Projects -- 7.Measuring Security Operations -- Sample Metrics for Security Operations -- Sample Measurement Projects for Security Operations -- SMP: General Risk Assessment -- SMP: Internal Vulnerability Assessment -- SMP: Inferential Analysis -- Summary -- Further Reading -- 8.Measuring Compliance and Conformance -- The Challenges of Measuring Compliance -- Confusion Among Related Standards -- |
|
Contents note continued: Auditing or Measuring? -- Confusion Across Multiple Frameworks -- Sample Measurement Projects for Compliance and Conformance -- Creating a Rationalized Common Control Framework -- Mapping Assessments to Compliance Frameworks -- Analyzing the Readability of Security Policy Documents -- Summary -- Further Reading -- 9.Measuring Security Cost and Value -- Sample Measurement Projects for Compliance and Conformance -- Measuring the Likelihood of Reported Personally Identifiable Information (PII) Disclosures -- Measuring the Cost Benefits of Outsourcing a Security Incident Monitoring Process -- Measuring the Cost of Security Processes -- The Importance of Data to Measuring Cost and Value -- Summary -- Further Reading -- 10.Measuring People, Organizations, and Culture -- Sample Measurement Projects for People, Organizations, and Culture -- Measuring the Security Orientation of Company Stakeholders -- An Ethnography of Physical Security Practices -- Summary -- |
|
Contents note continued: Further Reading -- Case Study 3 Web Application Vulnerabilities -- Source Data and Normalization -- Outcomes, Timelines, Resources -- Initial Reporting with "Dirty Data" -- Ambiguous Data -- Determining Which Source to Use -- Working with Stakeholders to Perform Data Cleansing -- Follow-up with Reports and Discussions with Stakeholders -- Lesson Learned: Fix the Process, and Then Automate -- Lesson Learned: Don't Wait for Perfect Data Before Reporting -- Summary -- pt. IV Beyond Security Metrics -- 11.The Security Improvement Program -- Moving from Projects to Programs -- Managing Security Measurement with a Security Improvement Program -- Governance of Security Measurement -- The SIP: It's Still about the Data -- Requirements for a SIP -- Before You Begin -- Documenting Your Security Measurement Projects -- Sharing Your Security Measurement Results -- Collaborating Across Projects and Over Time -- Measuring the SIP -- |
|
Contents note continued: Security Improvement Is Habit Forming -- Is the SIP Working? -- Is Security Improving? -- Case Study: A SIP for Insider Threat Measurement -- Summary -- Further Reading -- 12.Learning Security: Different Contexts for Security Process Management -- Organizational Learning -- Three Learning Styles for IT Security Metrics -- Standardized Testing: Measurement in ISO/IEC 27004 -- The School of Life: Basili's Experience Factory -- Mindfulness: Karl Weick and the High-Reliability Organization -- Final Thoughts -- Summary -- Further Reading -- Case Study 4 Getting Management Buy-in for the Security Metrics Program -- The CISO Hacked My Computer -- What Is Buy-in? -- Corporations vs. Higher Ed: Who's Crazier? -- Higher Education Case Study -- Project Overview -- Themes -- Findings -- Key Points -- Influence and Organizational Change -- Conclusion |
| Notes |
Formerly CIP. Uk |
| Bibliography |
Includes bibliographical references and index |
| Subject |
Information technology -- Security measures -- Evaluation.
|
|
Data protection -- Evaluation.
|
|
Computer security -- Evaluation.
|
|
Computer crimes -- Prevention -- Measurement.
|
| LC no. |
2010020201 |
| ISBN |
9780071713405 alkaline paper |
|
0071713409 alkaline paper |
|
