FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons
why secure software is so hard to find. Unlikely to be anything new to SC-L
readers, but it could be worth a quick read in any case. In particular, his
recommendations (to his presumably mostly CIO audience) are quit
CIO Asia has a column on "A Few Good Metrics"
http://cio-asia.com/ShowPage.aspx?
pagetype=2&articleid=2560&pubid=5&issueid=63
The article talks about using metrics to quantify risks and control
effectiveness.
"There's no denying that proven economic principles can—and should—be
applied to
