My topic for today is the future. In a sense, "the future" is once and always the topic for any security talk unless one likes to sit around one-upping each other with war stories.

For some time now, I have been promoting the idea of measurement in security, arguing that security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. If you have heard me speak on the topic of security metrics, you will know that, consistent with the view that risk management is about changing the future rather than explaining the past, I see no need for metrics beyond their role in decision support. At our present skill in measurement of security, we generally have an ordinal scale at best, not an interval scale and certainly not a ratio scale. In plain terms, this means we can say whether X is better than Y but how much better and compared to what is not so easy. Having an ordinal scale is nevertheless well and good as knowing which is the better of two alternatives is what decision making is about.