There has been a big push in recent years in the security community toward metrics. But measurement for measurement s sake is useless-and perhaps even counterproductive if the security team in an organization doesn t define its goals and parameters ahead of time, experts say. Security professionals have been measuring things such as vulnerabilities in a given application and the time it takes to fix flaws for years. But there’s likely more value in finding ways to measure things like the cost of fixing a vulnerability at various stages of the software development lifecycle.
Source: https://threatpost.com/security-metrics-are-useless-without-plan-111309/73095/