Just a quick note -- Hoff conducted an excellent interview with Andy Jaquith at Take5 (Episode #6) - Five Questions for Andy Jaquith, Yankee Group Analyst and Metrician.... I liked this part (among others):
The arguments over metrics are overstated, but to the extent they are contentious, it is because "metrics" means different things to different people. For some people, who take a risk-centric view of security, metrics are about estimating risk based on a model. I'd put Pete Lindstrom, Russell Cameron Thomas and Alex Hutton in this camp.
For those with an IT operations background, metrics are what you get when you measure ongoing activities. Rich Bejtlich and I are probably closer to this view of the world. And there is a third camp that feels metrics should be all about financial measures, which brings us into the whole "return on security investment" topic. A lot of the ALE crowd thinks this is what metrics ought to be about. Just about every security certification course (SANS, CISSP) talks about ALE, for reasons I cannot fathom.
Once you understand that a person's point of view of "metrics" is going to be different depending on the camp they are in -- risk, operations or financial -- you can see why there might be some controversy between these three camps. There's also a fourth group that takes a look at the fracas and says, "I know why measuring things matter, but I don't believe a word any of you are talking about." That's Mike Rothman's view, I suspect.