Securitymetrics.org is a community website.

The world of IT security has long been the exclusive province of soothsayers, scaremongers and FUDpackers. While this has certainly helped condition a fertile market for sellers of IT security widgets, security has not noticeably improved. Why not? We suggest that it is because most organizations have no way to quantitatively measure their current state, monitor leading indicators, or understand how to benchmark the effectiveness of their security operations. More to the point, IT security can fairly be deemed the only domain of modern business administration that still refuses to submit itself to serious analytical scrutiny. This is not good.

This website offers a rational, empirical alternative for decision-makers and security practitioners. Through the efforts of its members, securitymetrics.org intends to put the sword to the failed legacy of squeamish, squishy, non-metrics-based security decision-making. With luck and a bit of hard work, fear will yield to facts, and statistics will supplant scare tactics.

securitymetrics.org offers:

• A members-only mailing list
• Annual member conventions: Metricon, usually co-located at the RSA Conference or at USENIX Security
• Links to “good stuff” written by securitymetrics members, and by other practitioners
• Original articles and research

In short, this website is a portal, repository and sandbox in which practitioners can think creatively, collaborate, and research new ideas about security metrics.

Although the founding members of securitymetrics.org have their roots in the commercial world, anyone can join. We are particularly interested in prospective members who have backgrounds in econometrics, statistics, mathematical modeling, information visualization and — naturally enough — information security.

The Managing Editor of this website is Andrew Jaquith, CTO and SVP, Cloud Security Strategy, with SilverSky. He was previously a senior analyst with Forrester Research, and a co-founder and principal consultant at @stake, Inc.. This site is not affiliated with any company, and the opinions expressed on this website are strictly those of the authors themselves.

Sound interesting? Join today!

Problems or questions? Contact Andrew via admin__TA__securitymetrics__TOD__org (reverse the uppercase letters and substitute the correct punctuation). Yeah, I’m bracing for the ‘bot deluge.