Further Reading: Security Metrics, Measurement, and Reporting to the Board

Curated, annotated resources for measuring a program and reporting it upward. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 37.

Suggested order

  1. Skim NIST SP 800-55 to see how a standards body frames the selection of meaningful measures — the antidote to vanity metrics.
  2. Read one accessible treatment of risk quantification (the FAIR introduction) to ground "report risk in money," which is what boards actually want.
  3. Browse the Verizon DBIR for the dwell-time and detection-source data that make MTTD a board-level concern.
  4. Keep a maturity model (NIST CSF Tiers, or C2M2) open as a reference when you build the maturity slide.

Standards & primary documents (Tier 1)

  • NIST SP 800-55, Measurement Guide for Information Security (Performance Measurement Guide for Information Security). 📋📜 The authoritative U.S. government treatment of how to select, define, and use security measures so they inform decisions — the conceptual backbone of §36.1. Read the chapters on what makes a measure meaningful and the implementation/reporting process.
  • NIST, Cybersecurity Framework (CSF) 2.0 (2024), including its Implementation Tiers (Partial, Risk Informed, Repeatable, Adaptive). 📋🏗️📜 Use the six Functions (Govern, Identify, Protect, Detect, Respond, Recover) to structure a board scorecard, and the Tiers as a ready-made maturity scale.
  • U.S. Department of Energy, Cybersecurity Capability Maturity Model (C2M2). 📋🏗️ A detailed, domain-by-domain maturity model with concrete practice statements at each level — excellent scaffolding for an evidence-based maturity self-assessment that survives audit scrutiny.
  • Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 The evidence base for why MTTD and dwell time matter: it repeatedly documents how breaches are detected, by whom, and how long attackers dwell. Use its figures (carefully, as directional) when you justify a detection investment.
  • CIS, Controls v8 and the CIS metrics/measures companion. 🛡️🏗️ Maps each control to measurable outcomes; a practical source for coverage and implementation metrics tied to specific safeguards.

Books (Tier 1 / Tier 2)

  • Jaquith, A., Security Metrics: Replacing Fear, Uncertainty, and Doubt. 📋🛡️ The classic, opinionated argument for measuring outcomes over activity and against vanity metrics; the source of much of the modern discipline. Dated in tooling, durable in judgment. (Tier 2: a well-known professional text; treat specific figures as illustrative.)
  • Hubbard, D., & Seiersen, R., How to Measure Anything in Cybersecurity Risk. 📋 Makes the case for quantitative risk measurement (in money and probability) over qualitative color-coding — directly relevant to the "report risk in dollars" board demand. Pairs naturally with the ALE methods of Chapter 27.
  • Freund, J., & Jones, J., Measuring and Managing Information Risk: A FAIR Approach. 📋 The book-length treatment of the FAIR model for quantifying risk; the rigorous version of the risk-vs-appetite and risk-burn-down story a board responds to.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide and Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜 Both cover metrics, KPIs/KRIs, MTTD/MTTR, maturity models, and governance reporting at exam depth; use the security-operations and risk-management chapters alongside this one.

Free online & talks (Tier 1 / Tier 2)

  • The FAIR Institute (fairinstitute.org). 📋 Free material on quantitative risk and communicating it to executives — the practical home of "report risk in money." (Tier 2: a vendor-adjacent community; sound on method, read critically.)
  • MITRE ATT&CK and the ATT&CK coverage / navigator tooling (attack.mitre.org). 🛡️ The basis for detection-coverage metrics (§36.3) — measure the fraction of relevant techniques you can actually detect, the sharpest answer to "what could an attacker do that we wouldn't see?"
  • SANS / industry maturity-model and metrics talks. 🛡️📋 Many free conference talks walk real CISO board decks and metrics programs; search for "security metrics that matter" and "board reporting." (Tier 2: quality varies; favor talks by practicing CISOs who show real (sanitized) decks.)
  • On vanity metrics generally — the broader product/analytics literature on "actionable vs. vanity metrics." 📋 Borrowed from outside security, it sharpens the core discriminator of §36.1 better than most security-specific sources. (Tier 2: general business writing; the principle transfers cleanly.)

Tools to explore (in your own lab / program only)

  • A one-screen board scorecard template. 📋🏗️ Build the Figure 36.3 layout in whatever you present with; the constraint of one screen, 5–7 metrics is the exercise. Start from the four board questions, not from your available data.
  • An ATT&CK coverage map of your own detections. 🛡️ Lay your detection rules over the ATT&CK matrix to produce an honest detection-coverage percentage — the single most clarifying metrics exercise a SOC can do, and the one NorthRiver (Case Study 2) never did.

⚖️ Authorization & Ethics reminder: Metrics you report are testimony others rely on for legal and fiduciary duties. Source benchmarks honestly and label them directional, define metrics so they cannot be quietly gamed, and present uncertainty as uncertainty. Several sources above offer benchmark figures — cite them as approximate, never as precise fact (Chapter 39 returns to professional ethics).