The list is intended for use by security professionals in enterprises to properly assess the relative strength/weakness of their programs.

Value-based pricing is an interesting use case, but not one I intended. I will have to think about how it might work. At this stage, it isn’t practical simply because nobody is really doing anything like this in enterprises.

One of the possible uses of value-based metrics is to drive pricing of security products and services – in other words, payment by results. (Both for cross-charging within a single organization, and for billing between organizations.)

Do you have any experience of this?

One of the main problems in computer security is a lack of agreed upon metrics for measurement and resource allocation purposes, this inhibits the ability to make progress. Pete Lindstrom has posted an interesting decomposition of the security metrics …