Gary Hinson

Dr Gary Hinson PhD MBA CISSP is an information security specialist with a passion for human factors and metrics. Gary's career stretches back to the mid-1980s as a practitioner, manager and consultant in the fields of IT system administration, information security and IT auditing.

Gary now runs an information security awareness subscription service (www.NoticeBored.com) and spends his days researching and writing awareness materials. Through www.ISO27001security.com, Gary promotes and contributes to the ongoing development of the ISO/IEC 27000-series information security management standards. He lives near Napier, New Zealand.

AusCERT2012 Presentation

Security Metametrics - A Practical Approach

The handful of good books, standards and articles on information security metrics are long on fine academic principles, but decidedly short on get-on-and-do-it advice for busy ISMs and CISOs. This is undoubtedly a complex issue, arguably one of the most difficult areas of information security management. 

It is quite bizarre that so many Information Security Management Systems today are being run without decent metrics. How do people justify their budgets? How do information security and business managers keep track of the important parameters if they don't even know what those are? How can they possibly drive continuous improvement and risk reduction without the necessary information? 

This presentation will lay out a straightforward, practical approach to developing and implementing worthwhile information security metrics to support management decisions. I will explain how to select "a few good security metrics" from the thousands of candidate metrics out there, using a rational, systematic method designed specifically for information security practitioners - but applicable, in fact, to all sorts of metrics.

AusCERT2012 Presentation in PDF format