Given that measurement can both establish the facts and drive systematic improvement, I wonder whether I might develop a metric to measure organizations' approach to security metrics?
Specifically, I have in mind a security metrics maturity metric (!).
Immature organizations are likely to have few if any security metrics in place, with little appreciation of what they might be missing out on and little impetus to do anything about it. In short, they are absolutely rubbish at it.
Highly mature organizations, in contrast, will have a comprehensive, well-designed system of metrics that they are both actively using to manage their information risk and security, and actively refining to squeeze every last ounce of value from them. They are brilliant.
Those two outlines roughly describe the end points of a maturity scale, but what about those in the middle? What other aspects or features have I seen in my travels, what other characteristics are indicative of the maturity status?
Eating my own dogfood, before deciding on the Metric I should first have elaborated on the Goals of security metrics and the Questions arising (the GQM method). However, now, even with a maturity metric in mind, the same process of determining the Goals and Questions can help me work out the characteristics against which to assess organizations, the maturity Metric's measurement scale as it were.
Sorry if this is gibberish. I'm thinking aloud here, making lots of assumptions and skipping ahead while doing other stuff ... which I really ought to get on with, so I'll stop for now and pick this thread back up later on, unless I completely lose the plot.