Donal to Securitymetrics mailing list.
Is not our problem that of assigning value to digital objects and/or their contents? First we need a good handle on our objects.
So intrinsic in 'Security Metrics' I posit are 'Non-Security Metrics' of sorts ;)
Are we putting the cart before the horse?
Basically the thrust here is that we are trying to measure security and risk without actually fully measuring the playing field, players and game to begin with. This is self-defeating as we only then sell FUD. One must first assign a value to digital objects no matter how hard that may be. I have suggested interim value units in the past that can be susequently assigned dynamic financial values on a per organisation basis. This could be achieved with DNS ( though DNS is a target in itself! )
"Security metrics deal with risk and risk is not about security - it's about the utility of content." ( From a highly respected individual in the field. )
So how do we measure our content and track it in the first place?
We cannot assign a value to something if we don't know it's actually there, what it is exactly... how many of them there are and where etc. Flexible real time distributed content inventory is required. This harks back to my emerging belief in a form of 'Total Information Awareness' and digital surveillance of networks. Distributed endpoint file/object indexing, keylogging etc. This then also raises issues regarding the security of said goldmine of information.
Yes, I am steering back towards the 'network computer'... thin everything!