PRAGMATIC Security Metric of the First QuarterHaving scored and discussed fourteen Security Metrics of the Week during the first three months of this blog, it seems appropriate now to take a step back, review the metrics we have discussed thus far and consider the value of the PRAGMATIC process.
Here are the fourteen security metrics, tabulated in descending order of their overall PRAGMATIC scores. Click any of the metrics to read more about them and discover why we scored them thus.
In simple numerical terms, the metric Discrepancies between physical location and logical access location is the leader of this little pack which qualifies it as <cue drum roll> our first PRAGMATIC Security Metric of the Quarter. In fact there's clearly not much to choose between the top four metrics in the table in terms of their overall PRAGMATIC scores. The scores and hence rankings may well have changed if we had made different assumptions in the scoring, or of course if we had altered the specification/wording of individual metrics to address the issues we identified and hence altered their scores. Furthermore, your scoring of the metrics may differ from ours due to differences in how we each understand and interpret both the metrics and the PRAGMATIC approach. We don't have the same experience as you, our biases differ, our presumptions and organizational contexts differ and no doubt we have different potential audiences and purposes in mind for these metrics.
That whole line of discussion is moot, however, since we are not claiming that the PRAGMATIC approach is scientific and objective. Our top-scoring metric is not necessarily the best of the bunch under all circumstances for all organizations, just as the lowest scoring metric may be appropriate and score more highly in certain situations. The approach simply offers a rational way to consider the value of and compare various security metrics, to elaborate on their pros and cons, to identify ways in which the metrics might be re-phrased or materially altered to improve them, and most of all to facilitate a more informed and productive metrics discussion with management. Even if you simply use the process to shortlist the most promising from a bunch of metrics candidates, leaving the final selection to management, isn't that a worthwhile outcome?
There's plenty more to say yet about being PRAGMATIC, including ways to glean further useful information from the data in the scoring table above, but we'll leave that for the book, future blog pieces, seminars and papers. Meanwhile, do please let us know about your favorite security metric and we'll see we make of it. We look forward to your comments on this blog and emails, especially constructive criticism and creative ideas to make the PRAGMATIC approach even more effective. Over.