This page provides a list of resources for learning more about information security metrics:

MetricsCenter Publications
Projects of General Interest

Books of General Interest

Articles of General Interest

Podcasts

Publications on Data Anonymization

Publications on Data Visualization

MetricsCenter Publications

Links to Amazon and other useful sources are provided for each of the above if you are interested in learning more.

Note:  If you have projects, events, links, references that you would like to have added to this list, please send an email with all pertinent information to info at plexlogic dot com.

MetricsCenter Publications

The following white papers and technical notes have been published as part of the MetricsCenter project:

• Sammy Migues and EA Nichols, "Mathematical Profile of a Winner--BSIMM Data Analyzed", presented at RSA 2010, 2 March 2010
• Ashish Larivee and EA Nichols, "Metrics for Insights on the State of Application Security", presented at Metricon 4.5, 1 March 2010
• Lynn Terwoerds, Caroline Wong, EA Nichols, "Cloud Security Alliance:  Metrics Working Group", presented at Metricon 4.5, 1 March 2010
• Nichols, E.A., "Crunching Metrics from the DataLossDB and Google Finance", Metricon4, August 2009
• Nichols, E.A., "Crunching Metrics from Public Data", RSA, April 2009
• Nichols, E.A., "MetricsCenter: Technical Note #1 for Review and Comment", http://www.metricscenter.net/downloads/Metrics_Center_Note-1_v4.pdf
• Nichols, E.A., Allen, Julia, CERT Podcast, Feb 2008, "Security Metrics", http://www.cert.org/podcast/show/20080205nichols.html
• Nichols, E.A., Allen, Julia, CERT Podcast, Apr 2008, "Using Benchmarking to Make Better Decisions", http://www.cert.org/podcast/show/20080415nichols.html

Back to top

Projects of General  Interest

• SecurityMetrics.org:  Founded by Andrew Jaquith, Dan Geer, and Kevin Soo Hoo, securitymetrics.org is a community that is devoted to the study of security metrics.  Andrew moderates the securitymetrics.org mailing lists that has about 800 security researchers, CISOs, consultants, vendors, and practitioners.  Additionally, securitymetrics.org sponsors two one-day workshops which are listed on the events page.
• The Department of Homeland Security (DHS):  In June 2011, DHS published a document entitled:  Chief Information Officer Federal Information Security Management Act (FISMA) Reporting Metrics, Version 1.0. Some of these metrics are mapped to specific requirements in NIST SP-800-53 and FIPS-199 high impact systems, others are not.  This is a short 11-page document that identifies metrics to address basic quantities asset inventory, configuration, vulnerability, identity, and access management.
• Center for Internet Security Consensus Metrics:  A team of over 100 government, private, and academic experts worked under the direction of the Center for Internet Security to reach consensus ona small initial set of security outcome and practice metrics which were released in early 2009.  Subsequent projects are being launched to expand on the initial metrics set.
• Index of Cyber Security: A sentiment based index derived via surveying a qualified collection of experts designed to measure risk to corporate, industrial and government infrastructure.  The ICS index is updated monthly.
• Project Quant:  Project Quant is a special research project to develop a metrics model for measuring the costs and effectiveness of various security management disciplines.  The focus of all Project Quant efforts is on detailed, process-oriented models for improving efficiency and effectiveness within specific security disciplines.
• Data Breach Investigations Report for 2012: This is an annual report published by Verizon based upon data from investigations performed by Verizon as well as several other organization.
• State of Software Security Reports: These are a series of reports on application software security based upon data collected by Veracode.
• Building Security In Maturity Model (BSIMM) Project: This is a project sponsored by Cigital, Inc that is focussed on finding key activities that the best software companies employ to build security in to the software that they develop.
• Cloud Security Alliance (CSA) Metrics Working Group:  This is a project that was initiated in November 2009 under the auspices of the Cloud Security Alliance.  The focus of this effort is to identify and define metrics associated with the unique requirements of cloud computing.  These metrics will be tied to the reference architecture for cloud security published by the CSA.
• Risk Jobs Index: An index developed by one of the authors and maintainers of the Index of Cyber Security, Mukul Pareek.  This index is based upon the number of risk management jobs advertised on a popular job aggregator website called indeed.com.  It is designed to be a measure of investment in risk management by government and commercial enterprises.

Back to top

Books of General Interest

• Ayres, Ian, Super Crunchers: Why Thinking-by-Numbers Is the New Way to Be Smart, City, Bantam, 2007. See also Ian Ayres' web site.
• Axelrod, Warren C., Bayuk, Jennifer L., Schutzer, Daniel (eds), Enterprise Information Security and Privacy,Feb 2009.  See Amazon page.
• Bernstein, Peter, Against the Gods: The Remarkable Story of Risk, John Wiley & Sons, Inc., 1996. See also Peter Bernstean's web site.
• Borge, Dan, The Book of Risk, Wiley, 2000. See Amazon page for this book.
• Brotby, W. Krag, Informantion Security Management Metrics, A Definintive Guide to Effective Security Monitoring and Measurement, Mar 2009.  See Amazon page.
• Jaquith, Andrew R., Security Metrics – Replacing Fear, Uncertainty and Doubt, Addison-Wesley Professional, 2007. See Amazon page for this book.  Elizabeth Nichols contributed two chapters to this book.
• Geer, Daniel E., Jr., Economics and Strategies of Data Security, Verdasys, 2008, See Verdasys information page.
• Herrmann, Debra S., Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007. See Amazon page for Debra Hermann books.
• Hubbard, Douglas, How to Measure Anything, Wiley, 2007.  See home page.
• Lewis, Michael, Moneyball, W.W. Norton & Company, 2004.  See Literati pages for Michael Lewis.
• Lewis, Michael, Liars’ Poker, Penguin, 1990.  See Amazon pages.
• Marty, Raffael, "Applied Security Visualization", Addison-Wesley Professional, 2008, See Amazon page.
• Oram, Andy and Viega, John, "Beautiful Security:  Leading Security Experts Explain How They Think", O'Reilly, 2009.  See Amazon page.  Elizabeth Nichols contributed the chapter entitled "Beautiful Metrics".
• Peltier, Thomas, Information Security Risk Analysis, Auerbach Publications, 2005.  See Amazon page.
• Vose, David, Risk Analysis: A Quantitative Guide, Wiley, 2000.  See Voxe Consulting home page.
• Wong, Caroline, "Security Metrics:  A Beginner's Guide", McGraw-Hill, 2012.  See Amazon page.  Elizabeth Nichols contributed three chapters to this book.

Back to top

Articles of General Interest

• Marty, Raffael, "Applied Security Visualization", Rosenblatt, Joel, Security Metrics:  A Solution in Search of a Problem: http://connect.educause.edu/Library/EDUCAUSE+Quarterly/SecurityMetricsASolutioni/47083
• NIST Security Metrics Guide for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf
• Payne, Shirley C., "SANS Instititute – A Guide to Security Metrics", June 2006: http://www.sans.org/reading_room/whitepapers/auditing/55.php
• Berinato, Scott, "A Few Good Metrics", CSO Magazine, July 2005: http://www.csoonline.com/read/070105/metrics.html
• Systems Security Engineering – Capability Maturity Model": http://www.sse-cmm.org/metric/metric.asp
• Bowers, "Tom, Real-World Security Metrics", November 2005: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1137967,00.html
• Geer, Daniel E., Jr., "A Quant Looks at the Future Extrapolation via Trend Analysis", 2007: http://geer.tinho.net/trends.pdf
• Geer, Daniel E., Jr., "Measuring Security", 2007: http://geer.tinho.net/usenix/measuringsecurity.tutorialv2.pdf
• SecurityMetrics.org, "Metricon 1.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0
• SecurityMetrics.org, "Metricon 2.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon2.0
• SecurityMetrics.org, "Metricon 2.5 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=MiniMetricon2.5
• SecurityMetrics.org, "Metricon 3.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0
• SecurityMetrics.org, "Metricon 3.5 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.5
• SecurityMetrics.org, "Metricon 4.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon4.0
• SecurityMetrics.org, "Metricon 4.5 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=MiniMetricon4.5
• SecurityMetrics.org, "Metricon 5.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon5.0
• SecurityMetrics.org, "Metricon 5.5 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon5.5
• SecurityMetrics.org, "Metricon 6.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon6.0
• SecurityMetrics.org, "Metricon 6.5 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon6.5
• SecurityMetrics.org, "Metricon 7.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon7.0
• Hinson, Gary, "Seven myths about information security metrics", July 2006: http://www.noticebored.com/IsecT_paper_on_7_myths_of_infosec_metrics.pdf
  
• QoP Accepted Papers from the 4th QoP Workshop that was held in October 2008:  http://qop-workshop.org/Accepted.htm

Back to top

Podcasts

• Jaquith, Andrew and Geer, Dan, Aug 2007, "Technometria:  Security Metrics", http://itc.conversationsnetwork.org/shows/detail1902.html
• Mitre Corporation, "Making Security Measurable".  A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about CVE, CWE, and Making Security Measurable at Black Hat Briefings 2007 – August 2007, http://cve.mitre.org/docs/docs-2007/blackhat_audio_msm.mp3
• Kreitner, Clint and Allen, Julia,CERT Podcast,Nov 2008,  "Getting to a Useful Set of Security Metrics",  http://www.cert.org/podcast/show/20080902kreitner.html
• Merrell, Sam and Allen, Julia, CERT Podcast, Mar 2008, "Initiatin a Security Metrics Program:  Key Points to Consider", http://www.cert.org/podcast/show/20080318merrell.html
• Losi, Stephanie and Allen, Julia, CERT Podcast, Dec 2008, "The ROI of Security", http://www.cert.org/podcast/show/20061017losi.html

Back to top

Publications on Data Anonymization

The following are articles that cover various techniques for creating anonymized data set and/or attacking anonymized data sets to re-identify individuals or personally identifiable information:

• MIT Press Release Announcing New Open Software, Aug 2008:  http://www.metricscenter.net/downloads/MIT_Press_Release.pdf
• Meyerson and Williams,"General k-Anonymization is Hard", CMO 2003 - Finding optimum anonymization based upon k-anonymization is NP-Hard: http://www.metricscenter.net/downloads/General_K-Anonymization_is_Hard.pdf
• Zhong, et al, "Privacy-Enhancing k-Anonymization of Customer Data", June 2005, Algorithms for creating k-anonymized tables.SecurityMetrics.org, "Metricon 1.0 Digest and Presentations": http://www.metricscenter.net/downloads/Privacy_Enhancing_K-Anonymization.pdf
• Brown, E.K.,Data Anonymization Techniques - Overview of problem and survey of techniques.  Includes a bibliography at the end. Circa 2005: http://www.metricscenter.net/downloads/Techniques_Brown.pdf
• Katurai, "A Theory and Toolkit for the Mathematics of Privacy", MIT Masters Thesis 2006 - Desribes an Open Source Software Implementation of k-Anonymization: http://www.metricscenter.net/downloads/MIT_Masters_Thesis.pdf
• Narayanan and Shmatikov, "Robust De-anonymization of Large Sparse Datasets",circa 2007.  A description of algorithms to re-identify individuals when the anonymized data is very sparse.  Case study is the Netflix database:  http://www.metricscenter.net/downloads/shmat_oak08netflix.pdf
• Cirani, V. et al, "k-Anonymity":  A recent survey on one technique, namely k-anonymity:   http://spdp.dti.unimi.it/papers/k-anonymity.pdf
• Aggarawal and Srikant, "Privacy Preserving Data Mining", IBM Research. Describes a method that is suitable for survey-like data collection: masking data by adding noise while maintaining some statistical properties.  Unfortunately, research shows that the perturbation methods suggested so far are susceptible to various attacks.  See Chapter 5 in "Privacy-Preserving Data Mining" book by Aggarwal and Yu:  http://www.almaden.ibm.com/cs/projects/iis/hdb/Publications/papers/sigmod00_privacy.pdf
• Braman, Sandra, "Tactical memory: The politics of opennes in the construction of memory", FirstMonday, Volume 11, Number 7, 3 July 2006, link

Back to top

Publications on Data Visualization

The following are links and references to interesting web sites, articles and books that address data visualization:

On guidelines and best practices:

• http://www.edwardtufte.com
• http://biostat.mc.vanderhttp://extremepresentation.typepad.com/files/choosing-a-good-chart-09.pdf
• Abela, Andrew, "Chart Selector - A Thought sorter", 2006, http://extremepresentation.typepad.com/files/choosing-a-good-chart-09.pdf
• Juice Analytics Chart Chooser:  http://chartchooser.juiceanalytics.com/
• Marty, Raffael, blog on chart selection, http://www.itworld.com/security/57458/what-right-graph-use-what-situation

On frameworks:

• http://services.alphaworks.ibm.com/manyeyes/app
• http://www.swivel.com
• http://secviz.org

On approaches and technologies:

• http://www.spotfire.tibco.com
• http://www.ted.com
• http://chartchooser.juiceanalytics.com
• http://gapminder.org
• http://www.fudgie.org
• http://visualcomplexity.org
• http://stockcharts.com
• http://www.ggobi.org
• http://selectparks.net/~julian/pg (packet garden)
• http://www.cs.umd.edu/hcil/treemap (treemap by Ben Schneiderman)

Back to top