Comments on: Security Metrics Revisited http://spiresecurity.com/?p=363 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Gunnar http://spiresecurity.com/?p=363&cpage=1#comment-547 Gunnar Sat, 18 Nov 2006 19:38:30 +0000 http://spiresecurity.com/blog/?p=363#comment-547 Can you game a system that uses metrics? Sure. Can you game a system with no metrics? Even easier. Metrics can be gamed like antyhing else, and they are not silver bullets either, but we have enough black arts in security already and we can use a little bit more science.

]]> By: Andrew Jaquith http://spiresecurity.com/?p=363&cpage=1#comment-546 Andrew Jaquith Fri, 17 Nov 2006 18:08:51 +0000 http://spiresecurity.com/blog/?p=363#comment-546 Pete — the issue with “metrics” is that it covers a lot of ground and means different things to different people. A lot of folks think metrics == ROI or metrics == ROSI. That is certainly one way to think about it.

I like to think about metrics as key indicators of performance — things that you count that can tell you how you are doing.

Moreover, if you do the metrics right, you can ensure that they cannot be (easily) gamed, which is really what Mike’s critique boils down to. See my recent blog entry “Good Metrics” (http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_161006_1), excerpted from my forthcoming book “Security Metrics,” due from Addison-Wesley in early 2007.

Yes, I am pimping my book.

]]>