"I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs," says Adam Stone, an analyst who specializes in security management for the financial services industry. "The metrics we have right now--the ones we use for assessing vulnerability and measuring the effectiveness of our investments--are all based on subjective judgments. They're fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them."
The situation reflects the relative immaturity of the infosec industry, Stone adds. "People in information security are often technicians--gearheads," he says. "Very few of us have come up through the ranks of accounting or financial management, so we don't think in those terms."
Of course, it's not entirely true that security professionals never think in the same terms as financial officers. The information security manager at a Fortune 100 corporation, for instance, has implemented a program to measure rates of return on the company's IPS (intrusion-prevention system), including a checklist of costs incurred to address problems flagged by the system.