PRAGMATIC Security Metrics

Authors: W.Krag Brotby and Gary Hinson

The book is about how to make security metrics, assess, for whom to use them, but above all that it is useful to use them.

PAGMATIC stands for:

  • Predictive
  • Relevant
  • Actionable
  • Genuine
  • Meaningful
  • Accurate
  • Timely
  • Independent
  • Cheap

And these are the criteria on which each indicator must be assessed.

My personal favorite is the first: Predictive. An indicator must be able to tell something about what can be expected in the near future. The second is Actionable for me, because an indicator must be able to provide a measure that can adjust the indicator. Meaningful is important, because too often the owners of the indicators are disappointed, because too easy indicators are made, which are quickly and easily measurable, but tell us only a little bit about the security of the organization. Meaningful, in my view, is diametrically opposed to Cheap, which had to be “Complex”, because more complex indicators carry more information, but are more difficult to obtain, more difficult to interpret and therefore more expensive to use.

Accurate then reminds me of the fact that indicators best yield figures that are correct. A lot of discussion must be allowed, which is difficult when the indicators are not defined and / or measured accurate.

The seventh characteristic, Timely, indicates the natural characteristic that the management has no message from indicators that have already passed their time. This is also important for the predictive nature of the indicator.

The book opens with an office memorandum: the CEO of the company briefly asks the CSO to argue why Information Security is important. An answer that is due ‘tomorrow’.

The book then begins with a chapter that is indispensable: a lot of inspiration to make clear to the various target groups in the organization why working with Security Indicators is important, besides the fact that they already have the habit to use many other indicators, mainly financially.

This is followed by chapters on amongst other things, why we want to measure Security. This too can be motivating to help convince people in the organization.

The next important chapter is Chapter 6, which gives us an introduction to the mnemonic PRAGMATIC. Ultimately, however, the reader is free to choose other criteria.

However, the main chapter is claimed in Chapter 7 by applying the PRAGMATIC criteria to 150+ indicators, with a discussion of each one of them. This is to immerse the reader in the principle of thinking according to these criteria.

Then the book goes on to set up an Information Security Measurement System and the things that can be used for this. An introduction is given in Key Indicators, the disadvantages of metrics, and the practice is highlighted in, among other things, a chapter dealing with the case of the office memorandum in the beginning. This is followed by a not too complex conclusion. The book concludes with a reply from the CSO to the CEO’s question at the beginning of the book.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields. Since 2012, he has been working at the Crisis Centre of the Flemish Government (CCVO), where he has progressed in BCM, risk management, and crisis management. Since August 2021, he has been a knowledge worker for the CCVO. As of January 2024, he works at the Department of Chancellery and Foreign Affairs of the Flemish Government. Here, he combines BCM, risk management, and crisis management to create a tailored form of resilience management to meet the needs of the Flemish Government.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts