If your company is like the ones I’ve worked in, there 2 kinds of metrics around the security program:

1. Real, meaningful numbers that measure risk.
2. Sexy numbers, graphs and pictures that don’t mean much.

F-Secure gives us an example of the latter with their World Map. I don’t actually have a problem with this kind of metric if it helps generate interest in the subject. It’s only when we over focus sexy metrics and use them to make decisions with that we’re in trouble.

Evidently, Montana got screwed yesterday.

F-Secure World Map [f-secure]