Security Metrics, A Beginner's Guide 1st Edition

Awesome book! Thanks to Amazon, I got this fast. It is well written book and useful for reference! I am keeping this next to my computer! Worth the read!!!

Finally, a good resource on security metrics that doesn't take a degree in calculus to implement! A great how-to book on metrics, but also goes beyond to explain the fundamentals for an information security program. - Lisa Lee, an Information Security Professional

... but we all had to start somewhere! In discussing the broader context within which security metrics make sense, this book helps readers shimmy across from routine security operations through management into the heady world of strategic objectives and measurement. Along the way, it points out useful approaches such as exploiting metrics to persuade and convince management colleagues to get behind the security program, and considering the variety of audiences for security metrics.The book seems, to me, quite light on identifying and clarifying measurement objectives which arise from and support organizational/business objectives for information risk and security management, but then that's a deep personal interest. Maybe I'm being mean but I'm not your average reader! Overall, a worthwhile contribution to the field.

I was searching for a book that would provide a concise and easily understandable step-by-step guide to setting up a practical security metrics program. What I got was a disjointed and rambling master's thesis on how security metrics may be over complicated and turned into a program that would take 5 people and 200 hours a week to set up and maintain. If you are the CISO at Ford Motor Company, this might be a good book for you. If you are at a reasonably sized organization and are trying to share pragmatic security metrics with your board, or senior management, this is the farthest thing from helpful. Of the four books I puchased on metrics, this was by far the most pedantic. The checklists mentioned in another review are non-existent, and the section designed to put theory into action are not actions, they instead come up with something ridiculous that would get you thrown out of a metrics peer review meeting, let alone a boardroom. Great for a masters thesis, or if you are in a job that does nothing else but security metrics, or you are recovering at home for six weeks from a car accident, but you still won't come away with much that is actionable.

For the people studying the IT field this book has good information. The forms can be adapted at the real work environment, very helpful. I will recommend the book.

Caroline makes this topic very practical and the goals of measuring security very achievable. I appreciate the explanations (lingo, IMHO) that make me feel more familiar with the subject almost like part of her security team. I recommend this book.

There are plenty of books on the market that explain various security technologies. There are plenty of books that explain theory. And there are plenty that explain processes. Caroline Wong in her book, "Security Metrics: A Beginner's Guide" fills a much needed gap: how do make all this technology, theory and processes worthwhile.Every once in a while we get to read something that is so startlingly clear that we wonder why it took so long for somebody to write it. It isn't that we didn't know each step, it's we needed somebody to put the steps in order so we can get where we want to go. Caroline articulates where we want to go in a well thought out, logical, calculated and justifiable manner. Caroline provides the objective, justification and process for creating an exquisitely managed security metric program. She provides the justification for metrics, the approach to meaningful analysis, the process for defining and executing the project. The she demonstrates how to assure that management gets the right information at the right time.My only problem with this book is that the title suggests that it's not for seasoned or experienced security professionals. This is not just a beginner's guide; rather it is a practical and well-thought out roadmap for implementing a security metric program. Caroline even provides templates and checklists to support such a program. With this book in hand security teams are well armed to comply with the maxim: you have to measure it in order to manage it.

I am a security consultant and one of the more common questions I get is, "How do I create good security metrics?" I always recommend they start by reading Caroline's book. The book takes you through the basics of security metrics, what makes a good metric and what doesn't, along with guidelines on building out a set of metrics that are meaningful to you.I have had the luck to meet and hear Caroline Wong. When I read this book, I can hear Caroline's voice. It is true to her voice. Go search Caroline Wong on Youtube and then buy the book.

Information Security is an evolving discipline so calling this a "beginners guide" does it a disservice. If you work in this field - buy it.