ABSTRACT
Introduction Science tells us that unless one can measure something, one cannot recognize its presence or its absence. This often surprises those who treat security as binary, present or not, secure or insecure. We do not seem to have good metrics for IT in general and IT security in particular. Historically, only the most mature IT and security programs have been measured in the same way that we measure other business functions like design, assembly, and distribution. Such mature programs are few and far between.
