Enter your mobile number below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Security Metrics: Replacing Fear, Uncertainty, and Doubt 1st Edition

4.3 out of 5 stars 26 customer reviews
ISBN-13: 078-5342349986
ISBN-10: 0321349989
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Trade in your item
Get a $9.56
Gift Card.
Have one to sell? Sell on Amazon
Buy used On clicking this link, a new layer will be open
$23.92 On clicking this link, a new layer will be open
Buy new On clicking this link, a new layer will be open
$44.47 On clicking this link, a new layer will be open
More Buying Choices
20 New from $36.00 25 Used from $23.92
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

Windows 10 For Dummies Video Training
Get up to speed with Windows 10 with this video training course from For Dummies. Learn more.
$44.47 FREE Shipping. Only 17 left in stock (more on the way). Ships from and sold by Amazon.com. Gift-wrap available.
click to open popover

Frequently Bought Together

  • Security Metrics: Replacing Fear, Uncertainty, and Doubt
  • +
  • PRAGMATIC Security Metrics: Applying Metametrics to Information Security
  • +
  • IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data
Total price: $144.42
Buy the selected items together

Editorial Reviews

From the Back Cover

The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations

"Security Metrics "is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise. Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization's unique requirements. You'll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management. "Security Metrics "successfully bridges management's quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith's extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You'll learn how to: - Replace nonstop crisis response with a systematic approach to security improvement - Understand the differences between "good" and "bad" metrics - Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk - Quantify the effectiveness of security acquisition, implementation, and other program activities - Organize, aggregate, and analyze your data to bring out key insights - Use visualization to understand and communicate security issues more clearly - Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources - Implement balanced scorecards that present compact, holistic views of organizational security effectiveness Whether you're an engineer or consultant responsible for security and reporting to management-or an executive who needs better information for decision-making-"Security Metrics "is the resource you have been searching for. Andrew Jaquith, program manager for Yankee Group's Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in "CIO," "CSO," "InformationWeek," "IEEE Security and Privacy," and "The Economist." Foreword
About the Author
Chapter 1 Introduction: Escaping the Hamster Wheel of Pain
Chapter 2 Defining Security Metrics
Chapter 3 Diagnosing Problems and Measuring Technical Security
Chapter 4 Measuring Program Effectiveness
Chapter 5 Analysis Techniques
Chapter 6 Visualization
Chapter 7 Automating Metrics Calculations
Chapter 8 Designing Security Scorecards

About the Author

Andrew Jaquith is the program manager for Yankee Group’s Enabling Technologies Enterprise group, with expertise in compliance, security, and risk management. Jaquith advises enterprise clients on how to manage security resources in their environments. He also helps security vendors develop strategies for reaching enterprise customers. Jaquith’s research focuses on topics such as security management, risk management, and packaged and custom web-based applications.


Jaquith has 15 years of IT experience. Before joining Yankee Group, he cofounded and served as program director at @stake, Inc., a security consulting pioneer, which Symantec Corporation acquired in 2004. Before @stake, Jaquith held project manager and business analyst positions at Cambridge Technology Partners and FedEx Corporation.


His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist. In addition, Jaquith contributes to several security-related open-source projects.


Jaquith holds a B.A. degree in economics and political science from Yale University.



New York Times best sellers
Browse the New York Times best sellers in popular categories like Fiction, Nonfiction, Picture Books and more. See more

Product Details

  • Paperback: 336 pages
  • Publisher: Addison-Wesley Professional; 1 edition (April 5, 2007)
  • Language: English
  • ISBN-10: 0321349989
  • ISBN-13: 978-0321349989
  • Product Dimensions: 6.9 x 1 x 9 inches
  • Shipping Weight: 1 pounds (View shipping rates and policies)
  • Average Customer Review: 4.3 out of 5 stars  See all reviews (26 customer reviews)
  • Amazon Best Sellers Rank: #68,977 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

Format: Paperback
I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.

Fortunately, Security Metrics offers another solution. The book gives readers three sets of information: theory, metrics, and tools (concepts, not programs). The theory chapters (1 and 2) were so concise yet insightful I was tempted to underline every sentence. (I am not kidding.) Even the Preface made me glad to be reading the book when it associated "security ROI" with "the Macarena" and called it a "needless distraction." I laughed in agreement when I saw Andy call "security enablement" the "Abominable Snowman: it is rarely spotted, but legions of people swear it exists. After all, as my friend Dan geer puts it, 'You don't usually see airlines advertising how their planes fall out of the sky less often than their competitors.'" Why is that? My answer is simple: security is assumed and expected. Advertising anything else has no effect or makes people suspicious.
Read more ›
Comment 43 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
It's difficult to imbue a book on metrics with something other than academic theories, but Jaquith offers the working security professional a tangible lifeline. Nearly all of his suggested metrics are within easy reach, thanks to a commonsense approach and a tie-in to the instrumentation you're most likely to have in your data center.

Don't be scared off by the term "metrics," either; it's an easy read, chock full of amusing stories and turns of phrase (I thought my 80-year-old father was the only one who said "'pert near"). Jaquith focuses on the practical, from What Not to Draw (a graphics primer for charts and tables) to a Balanced Scorecard Makeover that actually looks achievable from outside the C-suite.

If your boss likes metrics, and your budget request is in jeopardy, you can't do better than this guide to making your case. Now, if only we had a practical, lightweight risk analysis methodology to go along with it ...
Comment 19 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
I'd really like to give this "3 ½" stars, but I rounded up to 4 stars. There is, currently, no book that is the "last word" on security metrics. The field is just not mature enough for that. However, this is certainly a very good and useful book for most people.

This book is for you if you are a practicing information security professional and you want to know the latest ideas about how to define, deploy, and use security metrics to improve security management. Written in an informal, personal style, Andrew's book reads like "letters from the front lines" (by analogy) than a treatise on military strategy.
The informal style makes the reading, at times, both fun and funny.

He's up front about his preferences and biases, so you know where he's coming from. But he's not bombastic. If you disagree with him on some points (as I do), so be it. His writing invites open debate on the important issues. He's also generous in quoting and crediting various members of the security metrics communities that he participates in.

Andrew falls into the "bag-o-metrics" school of thought, as contrasted from the "risk modeling" school. (This is currently a raging debate within the community.) Basically, Andrew is pessimistic about the possibility of defining any models that integrate security metrics into an overall assessment of business risk. He's especially caustic in his comments about "asset valuation" and other related approaches. Given their current state of development, I don't blame him.

Given this philosophy, Andrew proposes a long list of operational security metrics, each of which measure something very specific (and quantitative), but don't necessarily aggregate. With enough of these "point metrics", some correlations may emerge, he reasons.
Read more ›
Comment 13 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
The goal of security metrics is to replace fear, uncertainty, and doubt (FUD) with a more formalized and meaningful system of measurement. The FUD factor is the very foundation upon which much of information security is built, and the outcome is decades of meaningless statistics and racks of snake oil products. Let's hope that Andrew Jaquith succeeds, but in doing so, he is getting in the way of many security hardware and software vendors whose revenue streams are built on FUD.

One could write a book on how FUD sells security products. One of the most memorable incidents was in 1992 when John McAfee created widespread panic about the impending Michelangelo virus. The media was all over him as he was selling solutions for the five million PCs worldwide he said would be affected. The end result is that the Michelangelo virus was a non-event. Nonetheless, it was far from the last time that FUD was used to sell security.

The allure of FUD is that companies can spend huge amounts of money fighting nebulous digital adversaries and feel good about it. They can then put all of that fancy hardware in dedicated racks in their data center, impressing the auditors with the flashing lights giving off an aroma of security and compliance.

And that is the chaos that security metrics comes to solve. Security metrics, if done right, can help transform a company from a nebulous perspective on security to an effective one based on formal security risk metrics.

Security Metrics is a fabulous book that should be in the hands of every security professional.
Read more ›
Comment 20 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews

Set up an Amazon Giveaway

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more about Amazon Giveaway
This item: Security Metrics: Replacing Fear, Uncertainty, and Doubt