Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest of Abuse (DOA) report which lists autonomous system numbers of networks hosting those systems.
SI published the latest DOA report Monday and they are now using that data to illustrate individual companies hosting compromised systems. They started with 3M, then moved to Thomson Financial, AIG, and now Aflac. For these examples SI cites corporate machines sending spam, among other activities. Brian Krebs reported on other companies exhibiting the same behavior based on his conversations with SI.
This is the kind of metric I like to see. Who cares about percentage of machines with anti-virus, blah blah. Instead, consider these: is my company -- or agency -- listed on the SI DOA report? If so, how high? Is that ranking higher this week than last? And so on... Metrics for AV coverage is like reporting on the number of band-aids on a fencer who continues to be poked by an opponent.