PRAGMATIC Security Metrics

Authors: W.Krag Brotby and Gary Hinson

The book is about how to make security metrics, assess, for whom to use them, but above all that it is useful to use them.

PAGMATIC stands for:

  • Predictive
  • Relevant
  • Actionable
  • Genuine
  • Meaningful
  • Accurate
  • Timely
  • Independent
  • Cheap

And these are the criteria on which each indicator must be assessed.

My personal favorite is the first: Predictive. An indicator must be able to tell something about what can be expected in the near future. The second is Actionable for me, because an indicator must be able to provide a measure that can adjust the indicator. Meaningful is important, because too often the owners of the indicators are disappointed, because too easy indicators are made, which are quickly and easily measurable, but tell us only a little bit about the security of the organization. Meaningful, in my view, is diametrically opposed to Cheap, which had to be “Complex”, because more complex indicators carry more information, but are more difficult to obtain, more difficult to interpret and therefore more expensive to use.

Accurate then reminds me of the fact that indicators best yield figures that are correct. A lot of discussion must be allowed, which is difficult when the indicators are not defined and / or measured accurate.

The seventh characteristic, Timely, indicates the natural characteristic that the management has no message from indicators that have already passed their time. This is also important for the predictive nature of the indicator.

The book opens with an office memorandum: the CEO of the company briefly asks the CSO to argue why Information Security is important. An answer that is due ‘tomorrow’.

The book then begins with a chapter that is indispensable: a lot of inspiration to make clear to the various target groups in the organization why working with Security Indicators is important, besides the fact that they already have the habit to use many other indicators, mainly financially.

This is followed by chapters on amongst other things, why we want to measure Security. This too can be motivating to help convince people in the organization.

The next important chapter is Chapter 6, which gives us an introduction to the mnemonic PRAGMATIC. Ultimately, however, the reader is free to choose other criteria.

However, the main chapter is claimed in Chapter 7 by applying the PRAGMATIC criteria to 150+ indicators, with a discussion of each one of them. This is to immerse the reader in the principle of thinking according to these criteria.

Then the book goes on to set up an Information Security Measurement System and the things that can be used for this. An introduction is given in Key Indicators, the disadvantages of metrics, and the practice is highlighted in, among other things, a chapter dealing with the case of the office memorandum in the beginning. This is followed by a not too complex conclusion. The book concludes with a reply from the CSO to the CEO’s question at the beginning of the book.

Risk Management- Concepts and Guidance

Author: Carl L. Pritchard

The author gives a collection of facts in this book, roughly divided into two parts. In a first part of three chapters he gives general explanation about risk management. Afterwards in a second part of more than thirty chapters he explains (management) techniques that can be used in projects.

The added value of the book for the project manager is multiple:

–    You will receive an explanation about the technique and its use
You will be explained the advantages and disadvantages of the technique
You can combine techniques according to whether they complement each other, such as combining brainstorming techniques with SWOT, a risk register and a risk matrix, supplemented with an urgency analysis and a sensitivity analysis.

The second advantage of the book is that in my opinion it should not only be used in projects, but can also be used in business as usual (processes), or in the drafting of a multi-year plan for a larger organization.

There are also some minor disadvantages to the book in my opinion:

The fact that the eyes must remain open to recognize, report and asses risks through the course of the project as a whole is only emphasized in one of the last chapters. Also in the 2015 edition of this fifth edition in one of the chapters is still spoken of ISO 17799 where this has already been replaced by ISO 2700x.

But for a project manager despite these two flaws the book remains invaluable, in addition to ISO 31010 because the explanation for each technique is much more complete and clear. It is a better start in my opinion to explore the assessment techniques needed to bring projects to a better end.