On the other hand, I have a real problem with how many of our most educated and knowledgeable security professionals repeat the mantra derived from Lord Kelvin’s well-known statement, paraphrased as “You can’t manage what you can’t measure.” Apparently, his actual words were “To measure is to know” and “If you can measure it, you cannot improve it.”
By the way, Lord Kelvin is also known to have said: “Radio has no future,” which reminds me of the 1977 quote attributed to Ken Olson, the founder and CEO of DEC, that “There is no reason for any individual to have a computer in his home.” Or Thomas Watson Sr., the former head of IBM, who apparently predicted, in the 1940s, that the total world demand for computers would be four or five machines. So much for Lord Kelvin’s, Ken Olson’s and Thomas Watson Sr.’s credibility!
A long list of Lord Kelvin’s quotes is available at http://zapatopi.net/kelvin/quotes/ and the quote from Mr. Olsen is confirmed at www.snopes.com/quotes/kenolsen.asp Also see “A history of incredibly ignorant and stupid statements” at http://qi.com/talk/viewtopic.php?start=0&t=8100
Back to metrics … The chant about measuring as the fount of knowledge has been shown to be inaccurate or inappropriate in many cases … and yet its proponents are undeterred. My favorite article on the topic is “Seven Myths about Information Security Metrics” by Dr. Gary Hinson in the June 2006 issue of The ISSA Journal. Dr. Hinson debunks many of the claims about what is needed for managing security.
Popularity: 5%
