The document provides references and resources for developing a security metrics program, including publications, standards, websites, and books. It lists security metrics guides and articles from Microsoft, ISO, ISSA, CSO Online, SearchSecurity.com, SearchFinancialSecurity.com, ISC2, and metrics toolkits from Unified Compliance Framework. All of the references aim to help organizations measure the effectiveness of their security programs and make data-driven decisions.

1. Resources – Helpful slides (One of Two)
These important references will aid in developing a security metrics program
Information Week Analytics – Governance Vs. Success: Models and Metrics
December, 2008 http://informationweekanalytics.com/
Available to companies via the publication’s online hosting of this content.
Microsoft – Security Risk Management Guide v1.2
March 15, 2006 Microsoft Corporation. All rights reserved.
Download and On-line Locations for the Security Risk Management Guide
Specifically sections: Measuring Program Effectiveness, Conducting Decision Support
- Download Center: http://go.microsoft.com/fwlink/?linkid=32050
- TechNet online: http://go.microsoft.com/fwlink/?linkid=30794
ISO/IEC17799/2005 - Information Security Standard
- ISO/IEC 13335-3 Guidelines for the Management of IT Security
http://www.iso.org/iso/home.htm
Information Systems Security Association - (ISSA)
• The Use of ROI in Information Security – by Luther Martin (See Resources – ISSA Journal, Nov 2008)
• Security Metrics – Hype, reality and value demonstration – by Aurobindo Sundaram (ISSA Journal, May 2008)
• Ways to Determine or Prioritize Security Initiatives – by Matt Ege (ISSA Journal, Jan 2009)
• http://www.issa.org/ These are just a few of many additional resources to search in this information repository.
CSO Online – The Security Metrics Collection, October 27, 2008
Refer to the Security Leadership section for Metrics and Budget
http://www.csoonline.com/
Presentation to ISSA – Phoenix, AZ – April, 2009 26

2. Resources – Helpful slides (Two of Two)
These important references will aid in developing a security metrics program
SearchSecurity.com A TechTarget online publication
Refer to the Topics section for Information Security Management
http://www.searchsecurity.com/
SearchFinancialSecurity.com – A TechTarget online publication
• Strategic Metrics for Information Security at Financial Services Firms – P. Lindstrom, Sept, 2008
Refer to the Management Strategies section for additional information
http://searchfinancialsecurity.techtarget.com/
International Information Security Systems Certification Consortium - (ISC2)
• Why Security Metrics Must Replace Traditional Risk Analysis Methodologies – by Robert Hudock, Mar, 2008
Available to ISC2 registered members via the organization’s online hosting of this content.
www.ISC2.org Locate in the ISC2 Journal Archives
Security Metrics: Replacing Fear, Uncertainty and Doubt
Author, Andrew Jaquith – 336 Pages
© 2007, Addison-Wesley Professional Publications.
Metrics Management Toolkit
- Implementing Metrics Management Guide, Metrics spreadsheet, Project WBS, 125+ predefined templates
© 2008, Unified Compliance Framework Inc.
http://www.unifiedcompliance.com/ Located in the IT Impact Zones / UCF Toolkits offerings section.
Presentation to ISSA – Phoenix, AZ – April, 2009 27