lcamtufs blog: In praise of anarchy: metrics are holding you back.
Michal Zalewski presents two risks of a security metrics program – reduced adaptability and agility.
The frameworks for constructing security metrics often promise to advance one’s adaptability and agility, but that’s very seldom true. These attributes depend entirely on having bright, inquisitive security engineers thriving in a healthy corporate culture. A dysfunctional organization, or a security team with no technical insight, will not be saved by a checklist and a set of indicators; while a healthy team is unlikely to truly benefit from having them.
While I am surely no advocating against security metrics. it is worth noting the risks.