| Description |
1 online resource (xix, 223 pages) : illustrations |
| Bibliography |
Includes bibliographical references and index. |
| Contents |
Security metrics overview -- Metrics and objectives -- Information security -- IT security -- Other assurance functions -- Stakeholders -- Security metrics -- Security program effectiveness -- Types of metrics -- Information assurance / security metrics classification -- Monitoring vs. metrics -- Current state of security metrics -- Quantitative measures and metrics -- Financial metrics -- Return on investments -- Payback method -- ROI calculation -- NPV -- IRR -- Return on security investment (ROSI) -- SLE and ALE -- ROSI -- A new ROSI model -- A more complex security ROI -- Security attribute evaluation method (SAEM) -- Cost-effectiveness analysis -- Cost-benefit analysis -- Fault tree analysis -- Value at ris (VAR) -- ALE/SLE -- Qualitative security metrics -- Cultural metrics -- Risk management through cultural theory -- The competing values framework -- Organizational structure -- Hybrid approaches -- Systemic security management -- Balanced scorecard -- The SABSA business attributes approach -- Quality metrics -- Six sigma -- ISO 9000 -- Maturity level -- Benchmarking -- Standards -- OCTAVE -- Metrics developments -- Statistical modeling -- Systemic security management -- Value at risk analysis -- Factor analysis of information risk (FAIR) -- Risk factor analysis -- Probabilistic risk assessment (PRA) -- Relevance -- Problem Inertia -- Correlating metrics to consequences -- The metrics imperative -- Study of ROSI of security measures -- Resource allocation -- Managing without metrics -- Attributes of good metrics -- Metrics objectives -- Measurement categories -- Effective metrics -- What is being measured? -- Why is it measured? -- Who are the recipients? -- What does it mean? -- What action is required? -- Information security governance -- Security governance outcomes -- Defining security objectives -- Sherwood applied business security architecture (SABSA) -- CobiT -- ISO 27001 -- Capability maturity model -- Current state -- Information security strategy -- Metrics development -- a different approach -- The information security manager -- Activities requiring metrics -- Criticality and sensitivity -- Degree of risk or potential impact -- Risk over time -- Options and cost-effectiveness -- Ranking metrics and monitoring requirements -- Monitoring, measures, or metrics? -- Information security governance metrics -- Strategic security governance decisions -- Strategic security governance decision metrics -- Security governance management decisions -- Strategic direction -- Ensuring objectives are achieved -- Managing risks appropriately -- Using resources responsibly -- Security governance operational decisions -- Information security risk management -- Information security risk management decisions -- Management requirements for information security risk -- Criticality of assets -- Sensitivity of assets -- The nature and magnitude of impacts -- Vulnerabilities -- Threats -- Probability of compromise -- Strategic initiatives and plans -- Acceptable levels of risk and impact -- Information security operational risk metrics -- Information security program development metrics -- Program development management metrics -- Program development operational metrics -- Information security management metrics -- Security management decision support metrics -- Security management decisions -- Strategic alignment -- Risk management -- Metrics for risk management -- Assurance process integration -- Value delivery -- Resource management -- Performance measurement -- Information security management operational decision -- Support metrics -- IT and information security management -- Compliance metrics -- Incident management and response -- Incident management decision support metrics -- Is it actually an incident? -- What kind of incident is it? -- Is it a security incident? -- What is the severity level? -- Are there multiple events and / or impacts? -- Will an incident need triage? -- What is the most effective response? -- What immediate actions must be taken? -- Which incident response teams and other personnel must be mobilized? -- Who must be notified? -- Who is in charge -- Is it becoming a disaster? -- Conclusions -- Predictive metrics. |
| Summary |
Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses, and the necessity for real-time strategic metrics has never been more critical. Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides anyone with security and risk management responsibilities insight into these critical security questions: a- How secure is my organization?; b- How much security is enough?; c- What are the most cost-effective security solutions?; and d- How secure is my organization? This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization's business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response. -- Back cover. |
| Subject |
Information technology -- Security measures.
|
|
Computer security.
|
|
Business enterprises -- Computer networks -- Security measures.
|
|
Data protection.
|
|
Computer Security |
|
Technologie de l'information -- Sécurité -- Mesures. |
|
Sécurité informatique. |
|
Protection de l'information (Informatique) |
|
Business enterprises -- Computer networks -- Security measures |
|
Computer security |
|
Data protection |
|
Information technology -- Security measures |
| Other Form: |
Print version: Brotby, W. Krag. Information security management metrics. Boca Raton : CRC Press, ©2009 9781420052855 (DLC) 2009000669 (OCoLC)148650233 |
| ISBN |
9781420052862 (electronic bk.) |
|
1420052861 (electronic bk.) |
|
More Resources