Security metrics is an evolving field of study, involving a combination of purely scientific and not-so-purely scientific approaches as the academics and practitioners feed off each other. While we appreciate the value of the scientific and mathematical principles, theories, and models that underpin metrics and measurements, our particular contribution in writing this book lies far more on the practical side of the fence. We study metrics not for the sake of science, but because they can help

30  ◾ 

us resolve real-world situations that we face in information security management. Call it applied science if you will, state of the art, perhaps.