InfoSec PRAGMATIC Metrics Boot Camp Training, Level III

LENGTH: 3 Days

2023 DATE(s): for 2023 Dates or to schedule an onsite course (6 or more students required).

$1295: Early Bird; $1595 After Early Bird


The Information Security (InfoSec) PRAGMATIC Metrics Boot Camp Training provides invaluable tools and essential guidelines necessary for dealing with security metrics. Attendees learn how to develop a system of effective and meaningful measures that will enhance security and improve cost-effectiveness of any security program.

This very timely security boot camp covers real-time, accurate and reliable metrics that are critical to every security program, regardless of size. This is the ultimate
how-to-do-it training for security metrics. Packed with helpful tips, attendees learn how to specify, develop, use, and maintain an information security measurement system (a comprehensive suite of metrics).


Attendees of this boot camp training will take away a process, approach and set of tools to develop a system of effective and meaningful measures that will enhance security and improve cost effectiveness of any security program.


No profession has ever achieved status and credibility prior to developing effective metrics showing cause and effect, providing reliable prognostication and delivering the information needed by various parts of the organization to make informed decisions. Information security is no different. While practitioners frequently lament the profession’s lack of standing with business executives, we continue to fail to provide credible answers to essential questions and reliable evidence for the value of our craft. Most of us only provide management with obscure technical measures that do little to provide needed answers, actionable information or comfort, let alone assurance.

Based on the published book by Auerbach and co-authored by Krag Brotby and Gary Hinson titled PRAGMATIC Security Metrics, this intensive boot camp training is designed to provide a hands-on practical approach to developing, testing, and operating a set of metrics that actually support the business, providing management with the information needed to make crucial decisions on risk, security, control, assurance and governance.

While there are literally thousands of things that can be measured, the PRAGMATIC approach allows selection of the relatively few that are truly effective and provide a sound basis for making operational, management and strategic security decisions. This is accomplished utilizing a set of criteria defined by the PRAGMATIC acronym. A comprehensive set of maturity scales provide the measurements for each of the nine criteria resulting in a ranking to determine the optimal metrics options.


Attendees of this training will take away a process, approach and set of tools to develop a system of effective and meaningful measures that will enhance security and improve cost effectiveness of any security program.


This class is taught by renowned security expert, author of the official ISACA CISM Review Manual:
Krag Brotby CISM, CGEIT

Krag is the ’go-to’ computer security expert for mastering the CISM exam. He has successfully trained thousands of CISM candidates over the past 16 years, preparing them for the very difficult CISM Exam.

  • Author of the official ISACA CISM Review Manual since 2005.
  • Author of the CISM Glossary Document and the CRISC Glossary Document.
  • Served on the ISACA Security Practice Development Committee responsible for exam question development.
  • Edited the entire 1200 CISM sample question database, creating approximately 800 questions for the ISACA 2016 CISM QAE Book.
  • Taught CISM courses globally during the past decade including: the US Pentagon, US Marine Corp, Navy and the Army.
  • Frequent security expert practitioner/instructor at conferences globally and lectures on information security governance, metrics, information security management, GRC and CISM exam preparation throughout Oceana, Asia, Europe, the Middle East and North America.

Read Full Bio


(6 hours per day x 3 days)

1.  Information Security Metrics

1.1 Overview
1.2 Measures and Metrics
1.3 Taxonomy

2.  Why Measure Information Security?

2.1 To answer awkward management questions
2.2 To improve information security systematically
2.3 For strategic, tactical and operational reasons
2.4 For compliance and assurance
2.5 To fill the vacuum caused by our inability to measure information security
2.6 For profit!
2.7 For various other reasons …

3.  The Art and Science of Security Metrics

3.1 Metrology, the science of measurement
3.2 Governance and management metrics
3.3 Information security metrics
3.4 Other advice on information security metrics

4.  Metametrics and the Metrics Lifecycle

4.1 Metametrics
4.2 The information security metrics lifecycle

    • Requirements specification
    • Business case
    • Architecture and design
    • Metrics development
    • Testing the metrics
    • Implementation
    • Metrics management and improvement
    • Retirement

5. Designing and Developing Information Security Metrics:
     Measurement Techniques

5.1 Metrics systems architecture

    • Optimal metrics combinations

5.2 Criteria for assessing potential metrics: introducing the pragmatism index Background

    • The fundamental issue with measuring information security

5.4 The PRAGMATIC criteria

P =  Predictive, Prescriptive
R =  Relevant, Reliable, Robust and Repeatable
A =  Actionable
G =  Genuine
M = Meaningful
A =  Accurate
T =  Timely
I =   Independent and has Integrity
C =  Cheap, Clear, Concise and Credible

5.5 A worked example: applying the pragmatism index in practice

    • Breakout Practicum – ranking sample metrics using PRAGMATIC criteria with maturity scales
    • Class Review – reviewing consistency and relevance of ratings

6. What to Measure

6.1 Shortlisting information security metrics using the pragmatism index

    • Derivative measures, indicators and proxies
    • Inference
    • Correlation
    • Observer bias
    • Observer calibration

6.2 PRAGMATIC metrics scoring examples

    • Logical security metrics examples
    • Personnel security metrics examples
    • Physical security metrics examples
    • Information security Key Risk Indicator examples
    • Change and configuration management metrics examples
    • Incident management metrics examples
    • Information security control metrics examples
    • Control objectives
    • Business alignment of control objectives
    • Controls policy
    • Control relevance
    • Control monitoring and testing
    • Information security compliance and assurance metrics examples
    • Quality assurance metrics examples
    • Cloud computing metrics examples
    • Security culture metrics examples
    • Information security management and governance metrics
    • Financial information security metrics
    • Hybrid metrics examples

7. What Not to Measure

7.1 What gets measured gets done
7.2 Changing a culture

8.  Designing your PRAGMATIC Information Security
Measurement System

8.1 Introduction
8.2 Scoping the information security metrics system
8.3 Developing the business case for information security metrics
8.4 How good do measurements need to be?
8.5 Selecting or developing new PRAGMATIC security metrics
8.6 Using and exploiting existing security metrics: measurement on the cheap
8.8 Designing intrinsically-safe metrics
8.9 Forward planning, continuous improvement and maturity
8.10 The downsides of metrics

    • When the numbers lie
    • Scoring political points through metrics
    • Implausible deniability
    • Metrics gaps
    • On being good enough

8.11 Other design considerations for your security metrics system
8.12 Key Goal Indicators (KGI)
8.13 Key Performance Indicators (KPI)
8.14 Key Risk Indicators (KRI)

    • Breakout Practicum – design metrics suite to address organizational issues
    • Presentation of metrics suites with class review

9.  Using PRAGMATIC Metrics

9.1 Gathering the base data

    • Automated data sources
    • Surveys and interviews
    • Scoring scales
    • Logging & tracking systems
    • Audits and reviews

9.2 Data analysis and statistics
9.3 Data presentation
9.4 Using, reacting and responding to metrics

10.  Designing the Information Security Metrics System:
a Worked Example

10.1 The hypothetical organization
10.2 Information security metrics for the C-suite

    • Information security metrics for the CEO
    • Information Security Governance metrics
    • Information security metrics for the CIO

10.3 Strategic metrics
10.4 Management metrics
10.5 Operational metrics

    • Reducing the risk of inappropriate responses
    • Breakout Practicum – creating metrics for your own organization
    • Presentation of metrics designs for class review, comment and suggestions

11.  Summary/Conclusions

11.1 Key lessons and take-home messages
11.2 An action plan

12.  Questions/Answers


  • Access to the online training class recording after the training is held.
  • The instructor’s actual classroom presentation slides.
  • Megamind Training Institute Certificate of Completion:
    3-Day InfoSec PRAGMATIC Metrics Training (18 hours).


Pre-CLASS Reading

This course is based on the published book,
PRAGMATIC Security Metrics; Auerbach ’13,
co-authored by Krag Brotby and Gary Hinson.

As this course is based on the book, it is strongly recommended that attendees read the book prior to attending the online course for the most benefit.


This training class is designed to help IS professionals that are struggling to make sense of security metrics, or searching for better metrics to manage and improve information security.

A must attend for:  ISM, CISO, CIO, CRO, COO, auditors, security operations, senior, middle and junior management level’s.

Anyone involved with information security would greatly benefit from this training.




Attend this live, instructor-led online training from your own personal working environment — from your home or your office via the internet.


All classes run 2 full days from 7:00AM-2:00PM (PT) except where noted.

There are two morning sessions and two afternoon sessions each day.

Each session is about 90 minutes long with a 15 minute break per session, and a 30 minute lunch break daily.



Pacific Time Zone:              7:00AM – 2:00PM
Mountain Time Zone:       8:00AM – 3:00PM
Central Time Zone:            9:00AM – 4:00PM
Eastern Time Zone:         10:00AM – 5:00PM
International Time Zones Vary According to Country

Refer to the World Time Zone Converter for your time zone:


Cancellations will be accepted up to 10 working days before the scheduled course. After that time, no refunds will be given but substitutions may be sent at any time or tuition may be applied to a future training class.

Megamind reserves the right to cancel or postpone any scheduled training class.


This class is available for group training:
private onsite -or- live, online class.

For scheduling and pricing, email:



2. PAY your TUITION using PayPal “Buy Now” below.

Class Dates:


You will receive a confirmation email after completing the registration form and payment.

Want to pay using a purchase order?
Then fill out our online Registration form and we will contact you.

Want to request onsite training or learn more about IT training?
Then drop us a note using our Contact form.