PRAGMATIC Security Metrics

Authors: W.Krag Brotby and Gary Hinson

The book is about how to make security metrics, assess, for whom to use them, but above all that it is useful to use them.

PAGMATIC stands for:

  • Predictive
  • Relevant
  • Actionable
  • Genuine
  • Meaningful
  • Accurate
  • Timely
  • Independent
  • Cheap

And these are the criteria on which each indicator must be assessed.

My personal favorite is the first: Predictive. An indicator must be able to tell something about what can be expected in the near future. The second is Actionable for me, because an indicator must be able to provide a measure that can adjust the indicator. Meaningful is important, because too often the owners of the indicators are disappointed, because too easy indicators are made, which are quickly and easily measurable, but tell us only a little bit about the security of the organization. Meaningful, in my view, is diametrically opposed to Cheap, which had to be “Complex”, because more complex indicators carry more information, but are more difficult to obtain, more difficult to interpret and therefore more expensive to use.

Accurate then reminds me of the fact that indicators best yield figures that are correct. A lot of discussion must be allowed, which is difficult when the indicators are not defined and / or measured accurate.

The seventh characteristic, Timely, indicates the natural characteristic that the management has no message from indicators that have already passed their time. This is also important for the predictive nature of the indicator.

The book opens with an office memorandum: the CEO of the company briefly asks the CSO to argue why Information Security is important. An answer that is due ‘tomorrow’.

The book then begins with a chapter that is indispensable: a lot of inspiration to make clear to the various target groups in the organization why working with Security Indicators is important, besides the fact that they already have the habit to use many other indicators, mainly financially.

This is followed by chapters on amongst other things, why we want to measure Security. This too can be motivating to help convince people in the organization.

The next important chapter is Chapter 6, which gives us an introduction to the mnemonic PRAGMATIC. Ultimately, however, the reader is free to choose other criteria.

However, the main chapter is claimed in Chapter 7 by applying the PRAGMATIC criteria to 150+ indicators, with a discussion of each one of them. This is to immerse the reader in the principle of thinking according to these criteria.

Then the book goes on to set up an Information Security Measurement System and the things that can be used for this. An introduction is given in Key Indicators, the disadvantages of metrics, and the practice is highlighted in, among other things, a chapter dealing with the case of the office memorandum in the beginning. This is followed by a not too complex conclusion. The book concludes with a reply from the CSO to the CEO’s question at the beginning of the book.

Crisis management strictly spoken: mini exercises

Author: Manu Steens

In the context of training, both large and regular small exercises are very important. The main objective of these 30-minute exercises is to learn to work together in a crisis situation. The emphasis is therefore also on getting to know each other in these kinds of circumstances. But also to learn to brainstorm together.

Here are some small exercises:

Polarisation – Understanding the dynamics of us versus them

Author: Bart Brandsma

With many oppositions, such as in politics, but also at home, at school, in an association, … there are people who have a feeling to be attacked verbally (or non-verbally). Two camps are formed, each with a number of groups, which the author classifies in:

–    The pusher
The joiner
The silent
The bridge builder
The scapegoat.

Each of them plays a role in a case of polarization.

The pusher mainly seeks his justification and power via one liners with which he tries to pull the mass of the silent to his joiners.

The bridge builder often tries to restore the harmony by working on the pusher with arguments, which usually amounts more fuel for the pushers and their joiners. He is usually not trusted, and often becomes the scapegoat.

There is, however, a method to break this vicious circle, based on four game changers:

–    Change target group: you do not have to concentrate on the pusher nor the joiners, but on the silent.
Change topic: find the underlying, often deeper hidden real reasons and goals of the dispute, and talk about it. This is very difficult, because if you hit the ball here, this is fuel for the pushers. However, it is the only chance you have to be believed by the silent.
Change position: speak from the group of the silent, in the middle of them, not from the point of view of the bridge builder. So also: show your own feelings in the case, be one with them.
Change the tone: you have to be truthful. The silent feels it directly if you do not believe what you stand for. In this respect, what the author calls mediative speech and mediative behavior is therefore an absolute necessity. If you ruin that, the polarization will explode in your face.

According to the author there is a strong intertwining between “big brother” polarization and “small brother” conflict. Both of them run together for a large part, but not entirely, so that polarization can always trigger a sequel after the end of a conflict.

This is the first book I know that appeared on the subject. It deals with the phenomenon of polarization in human language, so that everyone can understand it. It is a hands-on booklet laced with examples, even where things went wrong.

Attempting polarization is perhaps the most difficult aspect of human opposition. There should therefore soon be more objective reporting of cases, which are recognized as such, including the unraveling why it succeeded or why not to depolarize them.

Heat-Health Action Plans

Edited by: Franziska Matthies; Graham Bickler; Nose Cardeñosa Marín; Simon Hales

The work deals primarily with climate changes, heat waves and health reactions. In addition, there are a number of topics that are reviewed. The first is climate change itself. Attention is also paid to heat waves with the idea that prevention is possible! This requires meteo-early warning systems as well as public medical advice. But urban planning is also not unimportant. Nevertheless, there are still many deaths in the figures of 2006. One conclusion is that not enough actions are being organized in many European countries. The booklet gives a number of hints in theory:

Negative effects: preventive treatment! (theory)
Use existing local emergency planning systems
Go for the long term
In all sectors (not only health sector)
Communicate effectively from the government
Advise for indoor coolers
Caring for the vulnerable
Health sector & social sector must be ready
Long-term Urban planning
Real-time surveillance and evaluation

But actually we just want hands-on advice. And that’s what we get!

Recommendations to the public

Keep your house cool, close windows during the day, open windows at night
Stay out of the heat: do not walk long in the sun between 12.00 and 15.00
Hydrate your body: drink enough, but drink no alcohol or heavily sweetened drinks
Wear light, loose clothing, hat with wide brim, sunglasses
Help others
Ask your doctor for advice on medication during hot days; keep your medication below 25 ° C
Do you feel unwell, dizzy, anxious, weak?
Drink water, possibly fruit juice
Immediately rest in a cool place
Go to the doctor

Vulnerable groups

Previous tips are doubly important for vulnerable groups such as
Diabetes mellitus, hormonal disorders
Organic mental disorders, dementia, Alzheimer’s
Mental disorders due to medication or alcohol
Schizophrenia, schizotype disorders
Movement disorders (Parkinson),
Cardiovascular, hypertension, coronary arterial diseases, …
Diseases of respiration, COPD, bronchitis, …
Kidney diseases, kidney stones

Recommendations for general practitioners

Understanding thermoregulatory and haemodynamic reactions in heat
Understanding heat illness, clinical manifestations, diagnosis and treatment
Recognize early symptoms of heatstroke
Apply cooling and resuscitation
To be familiar with the risks and protection factors in heat-wave related diseases
Advice to patients to learn good protection techniques
Side effects of heat on prescribed medications
Follow up of patients in terms of sufficient drinking
Know your contacts! Teach your patients the necessary contacts!

Recommendations for residential care

The recommendations for the public remain valid
Monitor the indoor door temperatures
Move the residents / patients to a cooler place
Ask doctors to follow up the weak
Monitor the drinking by the residents
Monitor body temperature, heart rate, blood pressure, hydration, early symptoms of heat diseases
Start treatment where necessary
Inform and train the staff, if necessary, take care of different levels of staff.

Effects of heat with medication

Medications in combination with heat can
Have a direct impact on the temperature regulation of the body
Impact on the ingoing or outgoing pathways of organs, sweating and vasodilatation in the skin
Increase heat sickness
Reduce positive effects of medication
Poisoning (symptoms) worsen
Increase dehydration

Recommendations regarding drinking

Drink, only to compensate for loss by 150%
Even if you are not thirsty
Drinking excessively can have complications
With heat stroke
Adding NaCl can restore the water balance
Drinking tailored to the patient

Risk communication in case of heat

Build a trust
Dialogue, not monologue
Along all channels
Communicate faster, rather than more completely
Transparency: Clear, well-defined, easy language, factual material

Approach to heat-disease

Bring the victim in a cool location with shade
Call a doctor

Approach to heat stroke (outside the hospital)

Move to a cool place
Ice compresses in the neck, armpit and groin
Spray the skin with water at 25 ° C – 30 ° C
In case of loss of consciousness: put them on their side
With anxiety, delirium, give isotonic drink (NaCl)

Cooled interior doors

Monitor the temperature
Provide extra shade
Provide electric fans
Mobile coolers based on evaporation
Local air conditioning

Risk Analysis and Governance in EU Policy Making and Regulation – An introductory guide

Author: Bernardo Delogu

In this book, the author presents a number of concepts and methods of risk analysis that are most relevant to the development and application of EU risk policies and legal measures. It focuses on three types of risks: health risks, safety risks and environmental risks.

Throughout the book, the author starts with the concept of risk and risk analysis, and continues with the treatment of risk management, risk communication and ultimately risk governance. The book concludes with a summary chapter of the most important issues that were dealt with throughout the work.

But what are the issues that, in addition to a lot of things that had to be treated as a good principle applied to policy, were the most important aspects of this work?

Firstly, there are the risk management principles and criteria that the EU uses as a regulatory body. The first is the prudence principle (PP: precautionary principle). A second is the subsidiarity principle. The third is the proportionality principle. Each of these principles must always be justified. For example, excessive irresponsible caution can not be approved.

Other points are the risk-risk evaluation, the cost-benefit evaluation and the difference between hazards and risks. The latter was best explained up to now in this book. Hazard is a property of eg a material or a being “in itself” while a risk is a threat in which the environmental situation is taken into account. For example a cheese Camembert and the listeria bacteria. The listeria bacteria itself is a life-threatening bacterium. In an ‘environment’ of camembert, however, she is not risky for people. (

Furthermore, the relationship with stakeholders is very important for the EU. In doing so, they apply the principles of participation, openness and liability, effectiveness and ensuring systematic consultation processes across EU services, including evaluations and quality control.

The most important message that other governments and managers of companies can draw from the book is that scientific research on the risks should and should not be done independently of the policy makers. Although the scientists need to be able to do their work independently of political preferences and accompanying preconditions, it is important that they share the results with politics so that they can add values ​​other than scientific correctness, without, however, going against the principle of prudence. The policymaker must also be able to accept that science does not always give the desired answer, or even has an unambiguous answer. Everyone, the scientists, the risk managers and the decision makers, must know their own role and that of the others.