Superconductor

I'm now firmly convinced that all but the simplest of metrics for security are doomed to failure. Something as simple as the fraction of workstations with anti-virus software installed is probably simple enough, but anything more that that is probably too complicated to be useful. I think this because of a conversation that I recently had with someone who didn't understand the difference between "4 square yards" and "4 yards square."

The person who didn't understand this difference had an undergraduate degree in engineering, so they must have had a few math classes in college. (I suppose that I should mention that this engineer does not work at Voltage.) If a person with that much technical education can't understand that difference, I'd guess that people with even less of a technical background would have a very hard time understanding any metric for security that had even a relatively modest level of complexity. I'm now wondering if even talking about the "average" amount of something is too much for many people to really understand. Even that fairly simple concept is commonly misunderstood or misinterpreted.