Yet another great post on Riskanalys on risk management.
A lot of people out there have been bashing the risk management model of data security. The essence of the attack generally comes down to "that didn't come from real data." In many cases that is true.
In just as many the fault lies with us looking at the wrong data or worse doing the right thing a the wrong time and just not being "lucky".
Moneyball is a great book that I would recommend for anyone.
I got three great peanuts out of it.
1. Make sure you are tracking the right metrics.
2. Even if the metrics correlate with the goals look for better ones for your objectives. (i.e. better batting average does make you a better player but on base percentage is a better indicator of whether you can generate scores)
3. Probability (luck) means that even if you are looking at the right things sometimes you won't see what is right. The trick is to find out why and what the real desired outcome is.
I suppose that I fall to a certain extent into the "metrics geek" camp on the security side.
In defense of the metrics people there is precedent. The insurance and financial industry's have identified that the equations really do work. You just have to be measuring the right stuff.
Nuclear physicist do the same things and the equations are remarkably similar.