Re: Security Metrics

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

I've read this book, and I enjoyed it. In fact, I didn't have to leave my living-room chair to grab it after reading 
your question.

I think Jacquith makes a bit too much of the "you can't improve what you can't measure" mantra, but I do think he lays 
out a good case for the need to do better measuring of security activities. It would be hard to image an organization 
that has never done security metrics using only this book to create something from scratch, but I think the book 
certainly can serve as a guideline to shoot for.

One useful observation, which I had dog-eared for later reference, is Jacqueth's contention that the use of asset 
valuation (Annualized Loss Expectancy, etc) in security risk analysis is next to useless. He feels that we need metrics 
that are less vulnerable to mis-estimation and "spreadsheet engineering" (his term).

I'd recommend it as a thought-provoking, good read.

Steve Lovaas
Colorado State University

________________________________________
From: Wes Young [wcyoung () BUFFALO EDU]
Sent: Saturday, November 03, 2007 7:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Metrics

http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989

Has any read this? Any interesting reviews?

--
Wes Young
Network Security Analyst
University at Buffalo