Despite 20 years of research and practical application, security metrics programs have not matured as expected. The promise of a universal oracle has not been fulfilled and CIOs are still inundated with pointless or deceptive metrics. This session will explore research on why this is, how to overcome the cycle of stagnation and what measurement strategies have proven successful.
Learning Objectives: 1: Dispel incorrect assumptions and learn what makes a successful metrics program. 2: Spawn creative ideas for how to improve metrics, both within an organization and broadly. 3: Understand how and why literature and practical application differ regarding security metrics.
Pre-Requisites: Basic understanding of the development, implementation and use of information security metrics.