Name: PRAGMATIC Security Metrics
Item: PRAGMATIC Security Metrics
Author: Manu Steens

AuthorGary Hinson, W.Krag Brotby

PRAGMATIC Security Metrics by W.Krag Brotby and Gary Hinson

PRAGMATIC Security Metrics is about how to make security metrics, assess, for whom to use them, but above all that it is useful to use them.

Creating a context

PRAGMATIC Security Metrics opens with an office memorandum: the CEO of the company briefly asks the CSO to argue why Information Security is important. An answer that is due ‘tomorrow’.

The book then begins with a chapter that is indispensable: a lot of inspiration to make clear to the various target groups in the organization why working with Security Indicators is important, besides the fact that they already have the habit to use many other indicators, mainly financially.

This is followed by chapters on amongst other things, why we want to measure Security. This too can be motivating to help convince people in the organization.

Chapter 6, which gives us an introduction to the mnemonic PRAGMATIC. Ultimately, however, the reader is free to choose other criteria.

PAGMATIC stands for:

Predictive
Relevant
Actionable
Genuine
Meaningful
Accurate
Timely
Independent
Cheap

And these are the criteria on which each indicator must be assessed.

My personal favorites

My personal favorite is the first: Predictive. An indicator must be able to tell something about what can be expected in the near future. The second is Actionable for me, because an indicator must be able to provide a measure that can adjust the indicator. Meaningful is important, because too often the owners of the indicators are disappointed, because too easy indicators are made, which are quickly and easily measurable, but tell us only a little bit about the security of the organization. Meaningful, in my view, is diametrically opposed to Cheap, which had to be “Complex”, because more complex indicators carry more information, but are more difficult to obtain, more difficult to interpret and therefore more expensive to use.

Accurate then reminds me of the fact that indicators best yield figures that are correct. A lot of discussion must be allowed, which is difficult when the indicators are not defined and / or measured accurate.

The seventh characteristic, Timely, indicates the natural characteristic that the management has no message from indicators that have already passed their time. This is also important for the predictive nature of the indicator.

Applying the PRAGMATIC criteria

However, the main chapter is claimed in Chapter 7 by applying the PRAGMATIC criteria to 150+ indicators, with a discussion of each one of them. This is to immerse the reader in the principle of thinking according to these criteria.

Then the book goes on to set up an Information Security Measurement System and the things that can be used for this. An introduction is given in Key Indicators, the disadvantages of metrics, and the practice is highlighted in, among other things, a chapter dealing with the case of the office memorandum in the beginning. This is followed by a not too complex conclusion. The book concludes with a reply from the CSO to the CEO’s question at the beginning of the book.

About Gary Hinson

Gary Hinson is a seasoned expert in information security and risk management, serving as the CEO of IsecT Limited, a consultancy specializing in information risk and security management with a focus on human aspects of security. Hinson's work includes ISO27k standards, security strategies, creating security awareness programs, and co-authoring the book "PRAGMATIC Security Metrics." He operates the SecAware platform from New Zealand, offering services to clients globally across various sectors. Linkedin

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply Cancel reply

Recent Content

How Migration Really Works - The True Story …

The Facts About the Most Divisive Issue in Politics In some previous posts, I provided an analysis of global risks from the OECD's 2024 Global Risks Report document. What stood out in previous...

The Anxious Generation - which is the trap we push kids into?

Jonathan Haidt, in "The Anxious Generation", describes the risks we are putting our children at, from Generation Z onward. These are not small: social deprivation, not enough physical exercise,...

About Gary Hinson

W. Krag Brotby is a leading expert in information security management with over 30 years of experience in areas like computer security architecture, governance, and risk management. He is a Certified Information Security Manager (CISM) and has authored influential books, including "Information Security Management Metrics" and "Information Security Governance," both published in 2009. These works provide practical guidance for developing security metrics and governance frameworks, emphasizing the alignment of security strategies with business objectives. Brotby has also contributed to the CISM review manual and teaches workshops on related topics. As a consultant, he helps organizations enhance their information security practices, blending theoretical knowledge with practical experience.

Who am I? What do I do?

By education I am a Civil Engineer (Master in Engineering Sciences option Physics) and Master in Sciences, option Physics. After seven years of working as a consultant, I was able to work for the Flemish Government where I still work.

Since 2003 I have been committed to ICT security and since 2013I have been responsible for Business Continuity Management and Crisis Management. It is through that trajectory that I picked up the virus to study and apply everything that has to do with risks.

Creating a context

PAGMATIC stands for:

My personal favorites

Applying the PRAGMATIC criteria

About Gary Hinson

About W.Krag Brotby

Leave a Reply Cancel reply

Recent Content