Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Security Metrics", Andrew Jaquith

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Security Metrics", Andrew Jaquith
Date: Wed, 29 Aug 2007 10:53:24 -0800 
BKSECMTR.RVW   20070612

"Security Metrics", Andrew Jaquith, 2007, 0-321-34998-9,
U$49.99/C$61.99
%A   Andrew Jaquith
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-34998-9 978-0-321-34998-9
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$61.99 fax: 416-443-0948 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321349989/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321349989/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321349989/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   306 p.
%T   "Security Metrics: Replacing Fear, Uncertainty, and Doubt"

In the Foreword, Dan Geer states that the book is not about selling
the idea of metrics.  Which makes the initial chapters a bit
problematic: if they aren't about selling the idea of metrics, what
are they about?  Chapter one is supposed to be an introduction, but
seems primarily focused on the idea that metrics are not about risk
management.  (There is also an assertion that proper metrics are "well
understood across industries, and consistently measured," which is
interesting because much of what follows appears to contradict this
statement.)  The definition of security metrics, in chapter two,
addresses metrics from fields other than security, and emphasizes the
position that metrics are important (and that the current "metrics,"
such as checklist frameworks and annualized loss expectancy, are
inadequate).  Chapter three divides metrics into four general areas,
dealing with perimeter security, control, availability, and
applications development.  Brief examples of collections of metrics
related to these fields are given in the text, although the lists
can't be expected to be comprehensive, due to the huge scope of
security as a whole.  The second of these topics, control, is probably
the subject of chapter four, although it is entitled "Measuring
Program Effectiveness."  Basic concepts from statistics, such as the
difference between mean (average) and median (midpoint of a set of
elements), are presented in chapter five.  Chapter six talks about
demonstrating data in a visual manner.  Most of the material consists
of suggestions for graphics and examples are given "redrawing" the
displays of commercial programs.  Aspects of automating the
calculations of security metrics are outlined in chapter seven.  In
chapter eight, Jaquith recommends the use of a security scorecard
based on the Balanced Scorecard management assessment model.

Security can be difficult to define, let alone measure, and, in
general, too little attention is paid to numeric assessments that can
assist in determining how well we are performing at the task.  This
book does go somewhat beyond a mere exhortation to create and use
metrics for security, but it still leaves an awful lot of work for the
practitioner or manager.

copyright Robert M. Slade, 2007   BKSECMTR.RVW   20070612


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Nothing in this world can take the place of persistence.  Talent
will not; nothing is more common than unsuccessful people with
talent.  Genius will not; unrewarded genius is almost a proverb.
Education will not; the world is full of educated derelicts.
Persistence and determination alone are omnipotent.  The slogan
`press on' has solved and always will solve the problems of the
human race.                                        - Calvin Coolidge
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Security Metrics", Andrew Jaquith, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  Re: [CISSP-D] 2 Areas - What Does it Mean?, Brad Andrews
Previous by Thread:  [CISSP-D] 2 Areas - What Does it Mean?, Brad Andrews
Indexes:  [Date] [Thread] [Top] [All Lists]