Measures and Metrics in Corporate Security

Two of the most famous quotes from Lord Kelvin are “to measure is to know” and “if you can not measure it, you can not improve it”.  With that, in Measures and Metrics in Corporate Security, author George Campbell provides a quick and high-level introduction to the topic of metrics and measurement.   Campbell is the former Chief Security Officer at Fidelity Investments, where metrics are used heavily.

Security metrics are a key initiative for many CISO’s. But what they often struggle with is how to find the right information security metrics, and how do they use them for functionally operational measurements that can be used to support the business.


The first part of the book contains the following 3 chapters which encompass the first 70 pages:

Chapter 1: The Basics

Chapter 2: Types of Metrics and Performance Indicators Appropriate to the Security Mission

Chapter 3: Building a Model Appropriate to Your Needs

 The next 70 pages contain the following appendixes:

 Appendix 1: Examples of Security-Related Measures and Metrics

Appendix 2: Trade Associations and Other Organizations with Security Voluntary Compliance Programs

Appendix 3: Sample High-Level Security Work Breakdown Structure

Appendix 4: Physical Security Cost Estimating Tables

Appendix 5: Risk Measure Maps

The book does not have a companion web site.  And it would have been quite beneficial if the templates detailed in the appendixes were available in soft copy.

The book notes that security metrics can be easy to create. But really good security metrics, those that can add value to the organization can be difficult to develop. For those that are looking to create good security metrics, Measures and Metrics in Corporate Security is a good starting point.

← View more Blogs

This document was retrieved from on Mon, 24 Oct 2016 23:10:52 -0400.
© 2016 EMC Corporation. All rights reserved.