State of the art security metrics

Dan Geer has been extremely generous in posting Measuring security, a presentation/training course (350 slides with readable speaker notes!) on the application of mathematics to information security. It neatly exploits ideas from statistics and other fields of study in the context of information security, revealing a wealth of creative ideas - so much so that I spent most of my afternoon reading it cover-to-cover and thinking about the practical applications.

Dan's summary slide hardly does it justice but might be just enough to intrigue you into downloading the presentation if "security metrics" is your thing too:

• The field is a mess, but progress can be made in any direction
• State of the art is the inequality and the ordinal scale, but those suffice for much decision making
• Consistency beats clever, and trend accuracy beats point precision

Dan refers more than once to the discuss@securitymetrics.org mailing list: guess I'll have to join up if that is a guide to the level of discussion!