Interesting point in Spire Security Viewpoint about measuring important security metrics:

In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.

There is one glaring problem with this line of reasoning – it is impossible to ignore loss expectancy and asset valuation in risk management.

This is as fundamental a problem as we have in information security today.

— On Value and Loss, by Pete Lindstrom, Spire Security Viewpoint, 18 April 2007

Even advertising can’t get away without some sort of measurements of its effectiveness. If marketing came to the CEO and said “I want to spend X more for this program” and had no metrics to back up what sales, profit, good will, or something that that program had generated last year, nor any prediction for what it might generate this coming year, probably no more money would be forthcoming. Yet IT security operates like that. Continue reading →