Compliance with information security related obligations, privacy laws in particular, was already a major issue for management when this paper was written back in 2007. Over the succeeding years, it has grown even bigger and yet we still often hear people discussing compliance in simplistic, black-and-white or binary terms in the sense of "You either comply or you don't". In reality, compliance is usually a matter of interpreting and weighing-up the evidence concerning the extent to which the obligations have or have not been fulfilled, and their relative importance. Compliance may not be glorious Technicolor but there are definitely shades of grey!
This metrics briefing proposed a few simple measures of the extent and speed of compliance, as well as the costs relating to or arising from compliance.
In addition to legislation, it mentioned compliance with and enforcement of corporate policies and other requirements (such as good security practices and contractual obligations - PCI-DSS being a classic example).
We developed further and elaborated on the concept of a 'security compliance status' metric that was introduced in this paper in later briefings. Looking at the paper now, with the benefit of hindsight, it seems rather naive but it served a purpose as a security awareness item for managers.