BKSECMTR.RVW 20070612 "Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9, U$49.99/C$61.99 %A Andrew Jaquith %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2007 %G 0-321-34998-9 978-0-321-34998-9 %I Addison-Wesley Publishing Co. %O U$49.99/C$61.99 fax: 416-443-0948 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321349989/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321349989/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321349989/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 306 p. %T "Security Metrics: Replacing Fear, Uncertainty, and Doubt" In the Foreword, Dan Geer states that the book is not about selling the idea of metrics. Which makes the initial chapters a bit problematic: if they aren't about selling the idea of metrics, what are they about? Chapter one is supposed to be an introduction, but seems primarily focused on the idea that metrics are not about risk management. (There is also an assertion that proper metrics are "well understood across industries, and consistently measured," which is interesting because much of what follows appears to contradict this statement.) The definition of security metrics, in chapter two, addresses metrics from fields other than security, and emphasizes the position that metrics are important (and that the current "metrics," such as checklist frameworks and annualized loss expectancy, are inadequate). Chapter three divides metrics into four general areas, dealing with perimeter security, control, availability, and applications development. Brief examples of collections of metrics related to these fields are given in the text, although the lists can't be expected to be comprehensive, due to the huge scope of security as a whole. The second of these topics, control, is probably the subject of chapter four, although it is entitled "Measuring Program Effectiveness." Basic concepts from statistics, such as the difference between mean (average) and median (midpoint of a set of elements), are presented in chapter five. Chapter six talks about demonstrating data in a visual manner. Most of the material consists of suggestions for graphics and examples are given "redrawing" the displays of commercial programs. Aspects of automating the calculations of security metrics are outlined in chapter seven. In chapter eight, Jaquith recommends the use of a security scorecard based on the Balanced Scorecard management assessment model. Security can be difficult to define, let alone measure, and, in general, too little attention is paid to numeric assessments that can assist in determining how well we are performing at the task. This book does go somewhat beyond a mere exhortation to create and use metrics for security, but it still leaves an awful lot of work for the practitioner or manager. copyright Robert M. Slade, 2007 BKSECMTR.RVW 20070612