In my last blog post I claimed that I have not seen a good security metrics system working so far and asked whether it is a failure.
On different channels I got some reactions, which I would like to share here.
One claim is that – as risk management is at the heart of security – measuring risks and the efficiency of risk management would give the best indicator whether we do our job. Definitely a good approach, I looked at as well in the past. However, measuring the efficiency of the risk management system is not that simple. What are