Dan's summary slide hardly does it justice but might be just enough to intrigue you into downloading the presentation if "security metrics" is your thing too:
• The field is a mess, but progress can be made in any direction
• State of the art is the inequality and the ordinal scale, but those suffice for much decision making
• Consistency beats clever, and trend accuracy beats point precision
Dan refers more than once to the email@example.com mailing list: guess I'll have to join up if that is a guide to the level of discussion!