We don’t mean to imply that the metrics practices we have discussed previously are retarded as such, rather that there are even more sophisticated considerations than we have so far considered. Many of the metrics issues discussed below have their roots in well-established disciplines, such as commerce/business management, science, and engineering. Compared to information security, or more accurately, IT


security,* they are highly mature, tracing their histories back literally thousands of years rather than mere decades. As information security professionals with an interest in metrics, we have a lot to learn from our learned colleagues in other disciplines.