Anything can be measured. As Bertrand Russell wrote -
All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man.
This is one of the talks I gave at our weekly Thursday seminar – register here for the Webinar
The talk discusses how data security metrics can be used in a value-based approach to security, providing examples of security metrics and a number of practical measurement techniques. The talk also shows how security metrics are used in quantitative risk modeling in order to calculate Value at Risk of information assets and justify security investments by reducing risk at lower costs.
For more information:
- The comprehensive source of information security metrics can be found in NIST Special Publication 800-55, “Security Metrics Guide for Information Technology Systems”.
- See Gary Hinson’s excellent post on 7 myths about security metrics
- Andrew Jaquith’s book Security Metrics – “Replacing fear, uncertainty and doubt”