Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional

	Title: Security Metrics: Replacing Fear, Uncertainty, and Doubt Purchase Item Manufacturer: Addison-Wesley Professional List Price: $49.99 Our Price: $28.94
Customer Reviews:
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional A necessary paradigm shift for information security
Upon completion of this book, I began to muse: what percentage of security professionals have given any thought to security metrics? For those that have actually considered the topic, with what level of frequency do they entertain thoughts of security metrics? Yearly? Monthly? Daily? Gee, I think to myself, I'd like to see a time series analysis exhibit of that... Based on the fact that I sit here torturing myself with these thoughts, I contend that Security Metrics has already influenced my approach toward security management. Indeed, Jaquith has done an excellent job of exposing an area that is critical to effective security management, but to which many security practitioners (myself included) have previously paid lip service. Security Metrics offers valuable insight to organizations seeking to provide a greater level of intelligence and meaning around their security program(s). In addition to how well the ideas of the book resonated with my own professional and academic background, the choice to give a 5 star rating was based on its organization, readability, entertaining quips, and the fact that many of the alternative publications in the realm of security metrics are triple or more the cost of this one. Though I've not yet read or reviewed other similar works, the bar has been set high.
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional Every security professional (or wannabe) should read this book
I'm not sure what I can write to sway you to buy or read the book if 5 star reviews from Ben Rothke and Richard Bejtlich don't sway you but I'll throw my likes and dislikes in here anyway. I'm not a "metrics guy" in fact, I'm still not , but I do think the book puts the concept of using them into perspective for the person that may not use any metrics in their security work. I've been summing up the book to people at work by using the example (and I'll badly paraphrase) from the book of "if your spam gateway blocks 100,000 spam messages a day is that a good metric?" Initially you may say yes, that is a good metric. In fact most people at work said the same thing. But, as the author explains it is a poor metric. Better metrics are useful percentages like the percentage of missed spam or the percentage of false positives. Saying that 100,000 spam message are being stopped only tells us that you have a ton of spam on your network. Some of the things I liked about the book were the author's discussions on how to make charts more readable and efficient at portraying information. I had to read the Tufte books in college and have to admit that I got more out of chapter 6 (visualization) than I feel I learned that whole semester of class. Chapter 2 discussing what makes good metrics was extremely useful, as well were chapters 3 & 4 because they gave good examples of metrics you can use to measure an organizations various defenses like perimeter security or application security. The discussion of using COBIT, ITIL and Security Frameworks in Chapter 4 was also good. I only had two minor gripes. First was that toward the end of the book the author talks about colors of slides and charts which obviously doesn't do us any good since the book is in black and white and second, that he does use some big words throughout the book and I did find myself having to go back and reread things. Could he have put it into simpler terms, probably, but that doesn't make the book bad, just means I need to work on my vocab :-) Overall it was a good entrance to the world of security metrics for me and took and away some of the perceived boredom of them. It definitely gave me some tools to look more critically at the numbers and stats that some of the vendors throw our way as well as how to deliver data and information in a more useful matter.
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional I liked it better than Cats!
What a book. Seriously, I laughed, I cried. I shouted in frustration, only to be placated on the next page. I got a better understanding of what Andy has been banging on about with Security Metrics. And it helps me do my job better.
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional Excellent info; too much nerd-speak
As the other reviewers state, the information in this book is very valuable and would be an asset to any information security professional, particularly those of us involved in reporting metrics. My only complaint is the author's writing style. He uses too much nerd-speak. By that I mean his sentences use a lot of giant, impressive-sounding words and jargon when he could say the same thing using simpler, day-to-day english. Because of that, the book was a difficult read for me. I had to re-read many parts to make sure I understood what the author was saying. I'm at work now and don't have the book with me. I'll update this review later with some examples.
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional Security Metrics: Replacing Fear, Undertainty & Doubt
The book is an excellent resource for the security professional who is interested in implementing a strong industrial security program with measures that can assess its effectiveness. I highly recommend it.
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Addison-Wesley Professional Product Description
<>The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise. Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management. Security Metrics successfully bridges management’s quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith’s extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You’ll learn how to: • Replace nonstop crisis response with a systematic approach to security improvement • Understand the differences between “good” and “bad” metrics • Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk • Quantify the effectiveness of security acquisition, implementation, and other program activities • Organize, aggregate, and analyze your data to bring out key insights • Use visualization to understand and communicate security issues more clearly • Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources • Implement balanced scorecards that present compact, holistic views of organizational security effectiveness Whether you’re an engineer or consultant responsible for security and reporting to management–or an executive who needs better information for decision-making–Security Metrics is the resource you have been searching for. Andrew Jaquith, program manager for Yankee Group’s Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist. Foreword Preface Acknowledgments About the Author Chapter 1 Introduction: Escaping the Hamster Wheel of Pain Chapter 2 Defining Security Metrics Chapter 3 Diagnosing Problems and Measuring Technical Security Chapter 4 Measuring Program Effectiveness Chapter 5 Analysis Techniques Chapter 6 Visualization Chapter 7 Automating Metrics Calculations Chapter 8 Designing Security Scorecards Index