PRAGMATIC Security Metrics - Applying Metametrics to Information Security

Posted on by Ben Rothke

Like all books on metrics, early in PRAGMATIC Security Metrics: Applying Metametrics to Information Security authors Krag Brotby and Gary Hinson state that “you can't manage what you can't measure”.

The authors claim that other books on information security metrics discuss number theory and statistics in academic terms.  This title promises to be light on mathematics and heavy on utility and is meant as a how-to-do-it guide for security metrics.


Based on that claim, the authors likely had a book such as Data-Driven Security: Analysis, Visualization and Dashboards by Jay Jacobs and Bob Rudis in mind.  As Jacobs and Rudis do indeed use statistics extensively in their approach to security metrics.

As to the title, PRAGMATIC is an acronym for the basis of the method of the book, in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost.  

One of the benefits of the book is that it provides a method to create quantitative methods for risk, and how to estimate which resources to use to mitigate those identified risks

The authors note that as a consequence of the way the field of information security has developed from IT security, current practice in security metrics seems to be driving by the availability of raw data from firewalls and other systems. But when it comes to measuring security, many organizations completely ignore the nontechnical factors that are often of equal importance to managing information security in a manner that supports the firm’s business objectives.  And that is precisely the gap the book is attempting to fix.

Chapter 7 makes up the bulk of the book when it details over 150 different useful metrics in which to use.

For those looking for a book in which to develop their information security metrics program, in PRAGMATIC Security Metrics: Applying Metametrics to Information Security is a valuable reference.

Ben Rothke

Senior Information Security Manager, Tapad

Business Perspectives

risk management data security threat intelligence metrics

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community