It is interesting to me why people feel compelled to criticize security metrics in their infancy. It is one thing to be impartial and a whole different ball game to go on the attack against them. I suspect it is due to one of these five reasons:

1. Laziness. Metrics take work – no doubt about it. There are no magic moments with metrics, just a lot of work and the satisfaction that comes with success.
2. Complacency. Complacent people are pretty happy with the status quo; they think that a bit of wheel-spinning here and a bit there, with a dash of what-everybody-else-is-doing helps them keep their job.
3. Arrogance. Arrogant folks think people should believe them regardless of any evidence. Groupthink is okay, too.
4. Insecurity. Insecure folks think objective measures of their performance may expose them for the fraud that they suspect they are.
5. Paranoia. Paranoids think every risk is a high one and don’t want rational evaluations to get in the way of their mania. They also have unlimited resources. (A paradox: paranoids always seem to be the most surprised by the latest exploit techniques. Go figure.)

There are lots of reasons to simply ignore metrics, but to actively malign them is a strange way to behave. It’s as if people think that metrics could somehow land them in a worse state of security than we have today. But how else can they be proven right if they don’t give metrics a chance? (hint: they’ll always be able to claim victory because there will almost certainly be a grain of truth left in the criticisms).