We might be able to tame information security risk, but we will never domesticate it. As a consequence, there are inherent unpredictabilities with some information

security metrics. We can do our level best to minimize them by using better, more reliable instrumentation and to smooth them out using the statistical techniques described in the next chapter, but they inevitably remain.