We move on now to demonstrate the PRAGMATIC method by using it to score a selection of candidate information security metrics. The approach we have taken in this chapter is to do the following:

◾ Identify approximately 150 information security metrics that might be under consideration to support a broad swathe of information security-related decisions*

◾ Group, classify, or structure the metrics to help us make sense of them ◾ Rate the metrics against the nine PRAGMATIC criteria (Appendix B) using

the method described in Chapter 6, generating an overall PRAGMATIC score and a set of accompanying notes for each metric

◾ Discuss the metrics and their ratings, pointing out the factors or reasoning that led us to rate them thus against the PRAGMATIC criteria making up their scores

Just as with the security metrics themselves, the PRAGMATIC approach is context sensitive; in other words, the scoring criteria may be interpreted differently under various circumstances. For the purposes of the examples in this chapter, we have assumed the evaluation of potential information security metrics is taking place in the context of a generic midsized commercial organization that has a relatively immature information security management system (probably not certified compliant with ISO/IEC 27001, but perhaps working toward that goal). The scores will differ, perhaps materially, in other organizations and business contexts, including your own, so by all means, disagree with the ratings and scores we have determined as you consider the examples in relation to your own business and security circumstances.