Like all books on metrics, early in PRAGMATIC Security Metrics: Applying Metametrics to Information Security authors Krag Brotby and Gary Hinson state that “you can't manage what you can't measure”.

The authors claim that other books on information security metrics discuss number theory and statistics in academic terms.  This title promises to be light on mathematics and heavy on utility and is meant as a how-to-do-it guide for security metrics.


Based on that claim, the authors likely had a book such as Data-Driven Security: Analysis, Visualization and Dashboards by Jay Jacobs and Bob Rudis in mind.  As Jacobs and Rudis do indeed use statistics extensively in their approach to security metrics.

As to the title, PRAGMATIC is an acronym for the basis of the method of the book, in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost.  

One of the benefits of the book is that it provides a method to create quantitative methods for risk, and how to estimate which resources to use to mitigate those identified risks

The authors note that as a consequence of the way the field of information security has developed from IT security, current practice in security metrics seems to be driving by the availability of raw data from firewalls and other systems. But when it comes to measuring security, many organizations completely ignore the nontechnical factors that are often of equal importance to managing information security in a manner that supports the firm’s business objectives.  And that is precisely the gap the book is attempting to fix.

Chapter 7 makes up the bulk of the book when it details over 150 different useful metrics in which to use.

For those looking for a book in which to develop their information security metrics program, in PRAGMATIC Security Metrics: Applying Metametrics to Information Security is a valuable reference.