Gordon on Security
There’s a good interview with Larry Gordon at SecurityPipeline. It came out in April of last year, but I’d missed it. Gordon has hosted the Security and Economics workshop.
“I go to security conferences where we all sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says Adam Stone, an analyst who specializes in security management for the financial services industry. “The metrics we have right now–the ones we use for assessing vulnerability and measuring the effectiveness of our investments–are all based on subjective judgments. They’re fundamentally flawed. But there are financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time, with methods that allow them to predict and measure business effectiveness in a rational way. We can learn from them.”
(Thanks to Mr. X for the pointer.)