Security Metrics: Scorecard Design
Author’s note: the chapter is not finished. It has some organizational and structural flaws that won’t be ironed out until later in the editing process. There are also some parts that need additional fleshing out. However, it should give you a good idea where my head is at.
What does this mean to you? Simple. Since you’ve come to this website, you are by definition someone deeply interested in both measurement and security. I’d like to get your comments and feedback on the manuscript.
The preferred method for giving me feedback is via the wiki. If you’ve got an account on the securitymetrics.org wiki, you can “mark up” the wiki page itself with your comments. Just put your comments underneath the relevant pages. [Ed: As of early 2013, comments have moved to Discus, below this page.]
I’m also happy to receive feedback privately via e-mail—especially if you work for an enterprise and would rather keep out of the spotlight.
A minor comment: I would add at least a paragraph for each of those metrics to explain what those are and why they are needed.