Don’t assume that traditional measures are good measures. For an example, The Economist looks at GDP growth:

WHICH economy has enjoyed the best economic performance over the past five years: America’s or Japan’s? Most people will pick America. The popular perception is that America’s vibrant economy was sprinting ahead (albeit fuelled by credit and housing bubbles that have now painfully burst), whereas Japan crawled along at a snail’s pace. And it is true that America’s average annual real GDP growth of 2.9% was much faster than Japan’s 2.1%. However, the single best gauge of economic performance is not growth in GDP, but GDP per person, which is a rough guide to average living standards. It tells a completely different story.

(emphasis mine)

For example…

Using growth in GDP per head rather than crude GDP growth reveals a strikingly different picture of other countries’ economic health. For example, Australian politicians often boast that their economy has had one of the fastest growth rates among the major developed nations—an average of 3.3% over the past five years. But Australia has also had one of the biggest increases in population; its GDP per head has grown no faster than Japan’s over this period. Likewise, Spain has been one of the euro area’s star performers in terms of GDP growth, but over the past three years output per person has grown more slowly than in Germany, which like Japan, has a shrinking population.

Some emerging economies also look less impressive when growth is compared on a per-person basis. One of the supposedly booming BRIC countries, Brazil, has seen its GDP per head increase by only 2.3% per year since 2003, barely any faster than Japan’s. Russia, by contrast, enjoyed annual average growth in GDP per head of 7.4% because the population is falling faster than in any other large country (by 0.5% a year). Indians love to boast that their economy’s growth rate has almost caught up with China’s, but its population is also expanding much faster. Over the past five years, the 10.2% average increase in China’s income per head dwarfed India’s 6.8% gain.

So, if you’re a Finance Minister, you’re apparently going to go with the number that makes you look best (total growth) rather than the number that most accurately reflects the economic fortunes of your populace–and even that number is probably not as good as median per-capita growth per-head, especially as a measure of relative change. The Minister knows better (I hope), but presents the less-honest number and knows that the vast majority will never catch him at it.

I’ve been looking at my anti-virus metrics of late, and I’m thinking that I’ve been asking the wrong questions there. Basically, I’ve got two different sets of anti-virus metrics, coverage rates (% of machines with anti-virus deployed by region) and infection rates (% of machines with infections, again per-region).

But I noticed this morning that, depending on how I’m defining my population, we’re only seeing 1-2% of the identified infections. That is, itself, only 7% of my total system population, or 0.1% (1/10th of 1%) of my total population calling the help desk due to malware problems every month.

So I’ve been failing my own first question for security issue–is this a problem I have?

Amrit asks, “Is the cure costlier than the disease?” regarding desktop security agents. His story starts out familiarly enough:

When I was still an analyst I was part of the mobile workforce, coming into the office maybe once or twice a year. The company owned laptop I was provided ran 4 different security agents, plus several other agents for various systems management functions (asset, configuration, etc) and remote access. Since the majority of the time the company had no ability to manage these mobile systems they would enforce some fairly draconian security policies, such as locking down aspects of the OS, disallowing certain protocols and applications to traverse the network VPN, as well as configuring the various scan-based security technologies to scan the system on a recurring basis (OK so maybe these are all reasonable and I felt they were draconian because I suffer from a Nietzsche “super-employee” complex and believe myself to be above the normal security policies of other employees - coincidentally I stopped using the corporate supplied laptop and switched to a Mac) .

Here is the kicker, my machine suffered from significant performance problems. Not only did it now take a good 5+ minutes to restart, it was unusable during a scan - which meant I was unable to work several hours a week

This is the story of the life of the average “enterprise” worker. In a past life, we were effectively told, “you can’t add any more agents unless you take one of the existing ones away.” Today, I “only” suffer from two or three different security-related agents on my laptop, which is especially ironic given that I do much of my work inside a virtual machine running Ubuntu Linux.

Getting back to Amrit, though, he’s kind enough to provide a great Back-of-the-Envelope (BOTE) analysis of the costs of providing desktop “security” for a theoretical 5,000 person company.

How’s it stack up, and to what? Amrit uses the same data set I used for my DLP and Full Disk Encryption BOTE analysis, the ISF’s Annual Survey, which told him

“The Computer Security Institute conducted a survey of 538 computer security practitioners in corporations, government agencies, financial institutions, medical institutions, and universities in the United States. Their results revealed that 85 percent of respondents had detected computer security breaches within a twelve-month period. The 35 percent who listed a financial impact reported $377,828,700 in financial losses. Of these, many cited their Internet connection as the point of attack for hackers.”

I’m not going to give you the spoiler–you can go read it yourself–other than to say I wholeheartedly agree with his assumptions, his methodology, and his conclusion.

What we need is this:

But what we get is this: