Krag and I have been thinking about what might be of value in a 'toolkit' for security metrics. The kinds of things we have in mind are:
- Resources such as books and standards on information security, risk management, governance, metrics, statistics and business management - the toolkit would contain references, reviews and links, not the actual content!
- Techniques, methods and approaches - naturally I'm thinking of the PRAGMATIC method but there are alternative approaches (such as GQM) that complement it: again, the toolkit would contain just a summary with pointers to further advice, since there is a lot to be said;
- Bootstrap metrics - perhaps a few suggested information security metrics to get you started? I'm not so sure about this because it's hard to think of information security measurement requirements that are widely applicable, but I guess we could come up with a few illustrative metrics ideas. Oh wait, we did that already - the 150 metrics in the book, most of which have been discussed on this very blog!
- FAQ - we have made a start on a security metrics FAQ but there's plenty more scope to develop that. What questions would you like us to address?
- Do's and don'ts - lessons from the trenches. We particularly favor the idea of publishing case studies on organizations that have developed coherent suites of information security metrics, discussing the process, pitfalls, triumphs and outcomes. Would your organization be a guinea pig? If so, get in touch.
- A project plan - perhaps some sort of generic outline or template of the steps most organizations would anticipate taking to specify, design, develop and implement an information security measurement system?
So what do you think? Is a "PRAGMATIC security metrics toolkit" something that would interest you? What would you most like it to contain? What else, apart from the items listed above, would be most useful for you?
Go ahead, we're all ears.