Books

Tag ∙ 10 posts

Posts

This essay is adapted from “Chapter 2: Defining Security Metrics” of my forthcoming book, Security Metrics: Replacing Fear, Uncertainty and Doubt from Addison-Wesley and Symantec Press, expected in early 2007. Small portions of this appeared in “The Future Belongs to the Quants,” an IEEE article co-authored by me, Dan Geer and Kevin Soo Hoo.

Information security is one of the few management disciplines that has yet to submit itself to serious analytic scrutiny. In security, business leaders ask:

9 min read ∙ October 15, 2006

Andrew Jaquith

Security Metrics: Scorecard Design

Author’s note: the chapter is not finished. It has some organizational and structural flaws that won’t be ironed out until later in the editing process. There are also some parts that need additional fleshing out.

1 min read ∙ October 19, 2005

Andrew Jaquith

A Picture is Worth 1,000 Words

We’ve had some interesting chatter on the securitymetrics mailing list today about sparklines: tiny, intense, word-size graphics. This is one of Edward Tufte’s latest confections. His formal definition is here.

3 min read ∙ September 30, 2005

Andrew Jaquith

Escaping the Hamster Wheel of Pain

Security shouldn’t be an endless patch-and-pray exercise. Metrics offer a way out.

9 min read ∙ May 4, 2005