FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons
why secure software is so hard to find. Unlikely to be anything new to SC-L
readers, but it could be worth a quick read in any case. In particular, his
recommendations (to his presumably mostly CIO audience) are
CIO Asia has a column on A Few Good Metrics
http://cio-asia.com/ShowPage.aspx?
pagetype=2articleid=2560pubid=5issueid=63
The article talks about using metrics to quantify risks and control
effectiveness.
There's no denying that proven economic principles can—and should—be
applied to