IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data 1st Edition

I've been running a security program for over 10 years and once in a while a book or reference comes along that truly helps me in my work.Lance Hayden's "IT Security Metrics" is one of those. My expectations were not terribly high as I've found most other metrics materials quickly devolve into near academic debate fodder. Thankfully in being able to preview a sample on the Kindle I was sold pretty quickly.There is a prescriptive quality to the book that makes me stop as I'm reading to make notes and begin working on them. Despite his exhaustive academic background it seems Mr. Hayden also has a very solid real-world experience and blends the two in a way that I do not often see. Therein lays the value of this book in my opinion. Rather than simply telling us how to continue to slog through the daily barrage, or taking a highly ethereal, idealistic high ground position, this book describes in practical terms how we as security practitioners can systematically improve.More importantly Mr. Hayden puts this improvement process purely in the context of the business we are there to support. Far too often security authors seem indifferent to the business implications of the art that we practice.If you are looking for an A to Z checklist, this isn't for you. If you are an experienced IT security person then the methods and approach Lance Hayden suggests will take immediate root. It quite simply makes sense. There are some books that I have to force myself to pick up, this is one of those that I have to force myself to put down.My only suggestion to Mr. Hayden -- turn this into a workshop!

I cite this book often in my metrics courses, specifically for its eloquent description of applying the GQM Goal-Question-Metric approach in the context of IT security. GQM is an excellent way to tease out and elaborate on the business objectives for IT security, leading to metrics with a genuine purpose and value other than someone's personal preferences. It runs out of steam when it comes to choosing between, shortlisting and selecting from the plethora of possible metrics that GQM generates ... but we picked up that very thread in PRAGMATIC Security Metrics: Applying Metametrics to Information Security.

In my search for a complete book on Information Security Metrics this was my third. I wish it was my first, it would have been the only one I needed, I couldn't put it down. Dr. Hayden's writing and messages are clear, well written, engaging, and downright USEFUL! Theory and Real world examples(from Cisco) are presented in a clear, engaging style. This book sits on my desk and I refer to it often as my Metrics program develops. If you need a book on this topic, this is THE ONE. Well Done!

It's a nice book for people that don't have a way to start identifing security. Usually the proplems that are listed on the book are caused by IT itself that don't understand the business and like to think they are the core of the company while they are just a middle manager area.If IT manager accept that they are there to assist business decisions and help to identify risk and business continuity issues instead of just claiming for more Money and support, it will be much easier to achieve the good metric.

A great reference and how to implement a security metrics project or program. My first of several book exploring this area.It stands the test of time and is still used and re-read for sections when needed professionally.It delivers as promised.

Solidly written and well presented book for IT Professionals to convey the essentials and apply the practical framework of IT Security metrics to keep the eye on the ball in a quickly changing business and IT landscape. I loaned it to my team and other colleagues who gained a different appreciation of the value, effort and also individual responsibilities required to ensure an enterprises IT security.

I am an experienced software professional, but a security newbie. This book will give you concrete advice, as well as processes and funny anecdotes. I highly recommended it.

I was really disappointed in this book. I bought it after reading all the glowing reviews, but the reviews are very misleading. This book it too high level and generic to be of any use to anyone wanting to learn how to create security metrics. It reads like an academic textbook with almost no real-world examples showing how to put these academic concepts to use. The reader is told what process the author believes is best for creating metrics then is left to their own devices to figure out how to actually do it. It's not really about security metrics at all but more about building a Security Metrics Program. That sounds great and all, but show me an organization that is going to commit the time, money, and resources to something like this. There is a chapter on cost and value of security which if properly written would be the sole reason anyone would want to buy this book. But like the rest of the book, there are no examples of how to create metrics which can show senior management the cost and value of security. The author also spends way too much time justifying qualitative analysis. I can tell you first hand that if you can't put a number of it, senior management isn't going to care about it. You might be better off just researching security metrics on the Internet than buying this book.