This page provides a list of resources for learning more about information security metrics:

MetricsCenter Publications
Projects of General Interest

Books of General Interest

Articles of General Interest

Podcasts and Videos

Publications on Data Anonymization

Publications on Data Visualization

MetricsCenter Publications

Links to Amazon and other useful sources are provided for each of the above if you are interested in learning more.

Note:  If you have projects, events, links, references that you would like to have added to this list, please send an email with all pertinent information to info at plexlogic dot com.

MetricsCenter Publications

The following white papers and technical notes have been published as part of the MetricsCenter project:

• Sammy Migues and EA Nichols, "Mathematical Profile of a Winner--BSIMM Data Analyzed", presented at RSA 2010, 2 March 2010
• Ashish Larivee and EA Nichols, "Metrics for Insights on the State of Application Security", presented at Metricon 4.5, 1 March 2010
• Lynn Terwoerds, Caroline Wong, EA Nichols, "Cloud Security Alliance:  Metrics Working Group", presented at Metricon 4.5, 1 March 2010
• Nichols, E.A., "Crunching Metrics from the DataLossDB and Google Finance", Metricon4, August 2009
• Nichols, E.A., "Crunching Metrics from Public Data", RSA, April 2009
• Nichols, E.A., "MetricsCenter: Technical Note #1 for Review and Comment", http://www.metricscenter.net/downloads/Metrics_Center_Note-1_v4.pdf
• Nichols, E.A., Allen, Julia, CERT Podcast, Feb 2008, "Security Metrics", http://www.cert.org/podcast/show/20080205nichols.html
• Nichols, E.A., Allen, Julia, CERT Podcast, Apr 2008, "Using Benchmarking to Make Better Decisions", http://www.cert.org/podcast/show/20080415nichols.html

Back to top

Projects of General  Interest

• SecurityMetrics.org:  Founded by Andrew Jaquith, Dan Geer, and Kevin Soo Hoo, securitymetrics.org is a community that is devoted to the study of security metrics.  Andrew moderates the securitymetrics.org mailing lists that has about 800 security researchers, CISOs, consultants, vendors, and practitioners.  Additionally, securitymetrics.org sponsors two one-day workshops which are listed on the events page.
• Center for Internet Security Consensus Metrics:  A team of over 100 government, private, and academic experts worked under the direction of the Center for Internet Security to reach consensus ona small initial set of security outcome and practice metrics which were released in early 2009.  Subsequent projects are being launched to expand on the initial metrics set.
• Project Quant for Patch Management:  Project Quant is a special research project to develop a metrics model for measuring the costs and effectiveness of patch management.  This is a Securosis Research Project that was sponsored by Microsoft.  All research is conducted and published in a totally transparent manner.  The focus of all Project Quant efforts is on detailed, process-oriented models for improving efficiency and effectiveness within specific security disciplines.
• Project Quant for Database Security:  This is the second Securosis Project Quant research effort that will develop an open, public, objective framework to measure the potential costs asssociated with database security.  Project Quant for Database Security is sponsored by Application Security, Inc.
• Cloud Security Alliance (CSA) Metrics Working Group:  This is a project that was initiated in November 2009 under the auspices of the Cloud Security Alliance.  The focus of this effort is to identify and define metrics associated with the unique requirements of cloud computing.  These metrics will be tied to the reference architecture for cloud security published by the CSA.

Back to top

Books of General Interest

• Ayres, Ian, Super Crunchers: Why Thinking-by-Numbers Is the New Way to Be Smart, City, Bantam, 2007. See also Ian Ayres' web site.
• Axelrod, Warren C., Bayuk, Jennifer L., Schutzer, Daniel (eds), Enterprise Information Security and Privacy,Feb 2009.  See Amazon page.
• Bernstein, Peter, Against the Gods: The Remarkable Story of Risk, John Wiley & Sons, Inc., 1996. See also Peter Bernstean's web site.
• Borge, Dan, The Book of Risk, Wiley, 2000. See Amazon page for this book.
• Brotby, W. Krag, Informantion Security Management Metrics, A Definintive Guide to Effective Security Monitoring and Measurement, Mar 2009.  See Amazon page.
• Jaquith, Andrew R., Security Metrics – Replacing Fear, Uncertainty and Doubt, Addison-Wesley Professional, 2007. See Amazon page for this book.
• Geer, Daniel E., Jr., Economics and Strategies of Data Security, Verdasys, 2008, See Verdasys information page.
• Herrmann, Debra S., Complete Guide to Security and Privacy Metrics, Auerbach Publications, 2007. See Amazon page for Debra Hermann books.
• Hubbard, Douglas, How to Measure Anything, Wiley, 2007.  See home page.
• Lewis, Michael, Moneyball, W.W. Norton & Company, 2004.  See Literati pages for Michael Lewis.
• Lewis, Michael, Liars’ Poker, Penguin, 1990.  See Amazon pages.
• Marty, Raffael, "Applied Security Visualization", Addison-Wesley Professional, 2008, See Amazon page.
• Peltier, Thomas, Information Security Risk Analysis, Auerbach Publications, 2005.  See Amazon page.
• Vose, David, Risk Analysis: A Quantitative Guide, Wiley, 2000.  See Voxe Consulting home page.

Back to top

Articles of General Interest

• Marty, Raffael, "Applied Security Visualization", Rosenblatt, Joel, Security Metrics:  A Solution in Search of a Problem: http://connect.educause.edu/Library/EDUCAUSE+Quarterly/SecurityMetricsASolutioni/47083
• NIST Security Metrics Guide for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf
• Payne, Shirley C., "SANS Instititute – A Guide to Security Metrics", June 2006: http://www.sans.org/reading_room/whitepapers/auditing/55.php
• Berinato, Scott, "A Few Good Metrics", CSO Magazine, July 2005: http://www.csoonline.com/read/070105/metrics.html
• Systems Security Engineering – Capability Maturity Model": http://www.sse-cmm.org/metric/metric.asp
• Bowers, "Tom, Real-World Security Metrics", November 2005: http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1137967,00.html
• Geer, Daniel E., Jr., "A Quant Looks at the Future Extrapolation via Trend Analysis", 2007: http://geer.tinho.net/trends.pdf
• Geer, Daniel E., Jr., "Measuring Security", 2007: http://geer.tinho.net/usenix/measuringsecurity.tutorialv2.pdf
• SecurityMetrics.org, "Metricon 1.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0
• SecurityMetrics.org, "Metricon 2.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon2.0
• SecurityMetrics.org, "Metricon 3.0 Digest and Presentations": http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0
• Hinson, Gary, "Seven myths about information security metrics", July 2006: http://www.noticebored.com/IsecT_paper_on_7_myths_of_infosec_metrics.pdf
  
• QoP Accepted Papers from the 4th QoP Workshop that was held in October 2008:  http://qop-workshop.org/Accepted.htm

Back to top

Podcasts and Videos

• Jaquith, Andrew and Geer, Dan, Aug 2007, "Technometria:  Security Metrics", http://itc.conversationsnetwork.org/shows/detail1902.html
• Mitre Corporation, "Making Security Measurable".  A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about CVE, CWE, and Making Security Measurable at Black Hat Briefings 2007 – August 2007, http://cve.mitre.org/docs/docs-2007/blackhat_audio_msm.mp3
• Kreitner, Clint and Allen, Julia,CERT Podcast,Nov 2008,  "Getting to a Useful Set of Security Metrics",  http://www.cert.org/podcast/show/20080902kreitner.html
• Merrell, Sam and Allen, Julia, CERT Podcast, Mar 2008, "Initiatin a Security Metrics Program:  Key Points to Consider", http://www.cert.org/podcast/show/20080318merrell.html
• Losi, Stephanie and Allen, Julia, CERT Podcast, Dec 2008, "The ROI of Security", http://www.cert.org/podcast/show/20061017losi.html
• Hugh Thompson, Founder of People Security, and Adam Shostack, co-author of The New School of Information Security, discuss whether metrics are necessary. http://link.brightcove.com/services/player/bcpid88077031001?bclid=87957123001&bctid=88176578001

Back to top

Publications on Data Anonymization

The following are articles that cover various techniques for creating anonymized data set and/or attacking anonymized data sets to re-identify individuals or personally identifiable information:

• MIT Press Release Announcing New Open Software, Aug 2008:  http://www.metricscenter.net/downloads/MIT_Press_Release.pdf
• Meyerson and Williams,"General k-Anonymization is Hard", CMO 2003 - Finding optimum anonymization based upon k-anonymization is NP-Hard: http://www.metricscenter.net/downloads/General_K-Anonymization_is_Hard.pdf
• Zhong, et al, "Privacy-Enhancing k-Anonymization of Customer Data", June 2005, Algorithms for creating k-anonymized tables.SecurityMetrics.org, "Metricon 1.0 Digest and Presentations": http://www.metricscenter.net/downloads/Privacy_Enhancing_K-Anonymization.pdf
• Brown, E.K.,Data Anonymization Techniques - Overview of problem and survey of techniques.  Includes a bibliography at the end. Circa 2005: http://www.metricscenter.net/downloads/Techniques_Brown.pdf
• Katurai, "A Theory and Toolkit for the Mathematics of Privacy", MIT Masters Thesis 2006 - Desribes an Open Source Software Implementation of k-Anonymization: http://www.metricscenter.net/downloads/MIT_Masters_Thesis.pdf
• Narayanan and Shmatikov, "Robust De-anonymization of Large Sparse Datasets",circa 2007.  A description of algorithms to re-identify individuals when the anonymized data is very sparse.  Case study is the Netflix database:  http://www.metricscenter.net/downloads/shmat_oak08netflix.pdf
• Cirani, V. et al, "k-Anonymity":  A recent survey on one technique, namely k-anonymity:   http://spdp.dti.unimi.it/papers/k-anonymity.pdf
• Aggarawal and Srikant, "Privacy Preserving Data Mining", IBM Research. Describes a method that is suitable for survey-like data collection: masking data by adding noise while maintaining some statistical properties.  Unfortunately, research shows that the perturbation methods suggested so far are susceptible to various attacks.  See Chapter 5 in "Privacy-Preserving Data Mining" book by Aggarwal and Yu:  http://www.almaden.ibm.com/cs/projects/iis/hdb/Publications/papers/sigmod00_privacy.pdf
• Braman, Sandra, "Tactical memory: The politics of opennes in the construction of memory", FirstMonday, Volume 11, Number 7, 3 July 2006, link

Back to top

Publications on Data Visualization

The following are links and references to interesting web sites, articles and books that address data visualization:

On guidelines and best practices:

• http://www.edwardtufte.com
• http://biostat.mc.vanderhttp://extremepresentation.typepad.com/files/choosing-a-good-chart-09.pdf
• Abela, Andrew, "Chart Selector - A Thought sorter", 2006, http://extremepresentation.typepad.com/files/choosing-a-good-chart-09.pdf
• Juice Analytics Chart Chooser:  http://chartchooser.juiceanalytics.com/
• Marty, Raffael, blog on chart selection, http://www.itworld.com/security/57458/what-right-graph-use-what-situation

On frameworks:

• http://services.alphaworks.ibm.com/manyeyes/app
• http://www.swivel.com
• http://secviz.org

On approaches and technologies:

• http://www.spotfire.tibco.com
• http://chartchooser.juiceanalytics.com
• http://gapminder.org
• http://www.fudgie.org
• http://visualcomplexity.org
• http://stockcharts.com
• http://www.ggobi.org
• http://selectparks.net/~julian/pg (packet garden)

Back to top