Implement an effective security metrics project or program. 'Disperses myths while illuminating truths, pointing towards better ways for IT to conceptualize, implement, and articulate the value proposition of security activities and investments! Clearly grounded in foundational concepts of risk management, decision support, and basic economics! Abounds with practical examples, anecdotes, metaphors, crisp descriptions of difficult concepts, comparisons with other industries, and a just plain entertaining writing style that won't strain your attention span! The relevance, information density, and readability of this book is top-notch! I strongly recommend it to anyone who is passionate and serious about protecting digital assets with better precision and effectiveness' - Joel Scambray, Co-Author, "Hacking Exposed", and CEO of Consciere. "IT Security Metrics" provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. The book explains how to choose and design effective measurement strategies and addresses the data requirements of those strategies. The Security Process Management Framework is introduced and analytical strategies for security metrics data are discussed. You'll learn how to take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. Real-world examples of security measurement projects are included in this definitive guide. Define security metrics as a manageable amount of usable data. Design effective security metrics. Understand quantitative and qualitative data, data sources, and collection and normalization methods. Implement a programmatic approach to security using the Security Process Management Framework. Analyze security metrics data using quantitative and qualitative methods. Design a security measurement project for operational analysis of security metrics. Measure security operations, compliance, cost and value, and people, organizations, and culture. Manage groups of security measurement projects using the Security Improvement Program. Apply organizational learning methods to security metrics.