Timing is everything. Thanks for the clarification – I figured it was something like this. I don’t object to you using my name, I object to you using my name in conjunction with a “camp” that you consider interested in imaginary things.

Pete

Thanks for your post about my interview with Hoff. It seems that the sins I committed were twofold: putting your name somewhere in my post, and attempting to place you into a camp. My point in doing both wasn’t to call you, Alex or anybody else out. I meant simply to break down the metrics space into styles of thought — modelers, measurers, and the like, and to give a few examples of people who seemed to me that they, more often than not, were inclined to think in those styles. To me, that’s Press Relations 101: put together a simple narrative with plain language, and give examples. We can certainly argue over whether I got the camps (or their members) right. But let’s not forget what Hoff asked: he wanted to know why things were contentious. I half-agreed, and provided a theory as to why I thought that might be the case. That’s it.

By the way, lest you think that I was trying to do the security metrics equivalent of ethnic cleansing — forcibly dividing people into camps — you’ll note that I also wrote this: “Metrics aren’t really that contentious. Just about everyone in the securitymetrics.org community is pretty friendly and courteous. It’s a ‘big tent.’ Most of the differences are with respect to inclination.” It’s that last word — inclination — that’s important. In the same way that a left-handed person doesn’t turn into a clumsy slobbering fool when confronted with a water glass at a state dinner, being inclined to think about metrics a certain way doesn’t negate other modes, either. Indeed, that is exactly why my post included allusions to things like models, cost and revenue calculations in the logistics industry. There is no “dichotomy”: Saying so is (grin) simplistic too.

With regard to activity-based metrics: you won’t get any argument from me that certain people are talking about this. My rant about that was more directed at security product companies: I should have specified that those are the “nobodies” I meant. Vendors rely almost solely on risk and threat “metrics” as the thing they report on. I think we need operations-oriented activity-based costing (wow, there’s a mouthful) supported directly in security products, not ever-more-polished Hamster Wheels of Pain.