From Kelvin’s “[W]hen you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind” to Maxwell’s “To measure is to know” to Galbraith’s “Measurement motivates,” there is little need to argue here on behalf of numbers. Doubtless you would not now be holding this book if you didn’t have some faith in the proposition that security needs numbers.

But what kind of numbers? Ay, there’s the rub. We need numbers that tell a story and, which is more, say something that allows us to steer for where we are going, not just log from whence we have come. We have to acknowledge the central creed of the statistician: all numbers have bias; the question is whether you can correct for it. As security practitioners we have ...

Get Security Metrics: Replacing Fear, Uncertainty, and Doubt now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.