Educause Security Discussion mailing list archives
Re: Security Metrics
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Sun, 4 Nov 2007 12:42:46 -0700
I've read this book, and I enjoyed it. In fact, I didn't have to leave my living-room chair to grab it after reading your question. I think Jacquith makes a bit too much of the "you can't improve what you can't measure" mantra, but I do think he lays out a good case for the need to do better measuring of security activities. It would be hard to image an organization that has never done security metrics using only this book to create something from scratch, but I think the book certainly can serve as a guideline to shoot for. One useful observation, which I had dog-eared for later reference, is Jacqueth's contention that the use of asset valuation (Annualized Loss Expectancy, etc) in security risk analysis is next to useless. He feels that we need metrics that are less vulnerable to mis-estimation and "spreadsheet engineering" (his term). I'd recommend it as a thought-provoking, good read. Steve Lovaas Colorado State University ________________________________________ From: Wes Young [wcyoung () BUFFALO EDU] Sent: Saturday, November 03, 2007 7:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Metrics http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989 Has any read this? Any interesting reviews? -- Wes Young Network Security Analyst University at Buffalo
Current thread:
- Security Metrics Wes Young (Nov 03)
- <Possible follow-ups>
- Re: Security Metrics Karen Duncanson (Nov 04)
- Re: Security Metrics Lovaas,Steven (Nov 04)
- Re: Security Metrics Mike Lococo (Nov 05)
- Re: Security Metrics Wes Young (Nov 06)