As Charles Kettering put it, 'a problem well stated is a problem half solved'. That's surely the case for IT security! Some things (like IT security) may appear, at least on the surface, easily measurable, because, in large part, management teams assume they know precisely what they mean by IT security, and, therefore, what elements/aspects should be measured.

Frequently I have found though, with respect to measuring the affects/outcomes of IT security, management teams, boards, CTO's, and IT managers, etc., use terms/phrases like reducing uncertainty and risk interchangeably, as both a rationale for the (IT security) expenditures and as a basis for measuring the desired outcomes (of IT security).

Being a security practitioner for 25+ years, I recognize that security, conceptually speaking, remains somewhat vague and ambiguous, even in 2010, that is, unless or until management teams, boards, and CSO's, etc., begin to describe precisely what they expect to observe, following deployment of 'x' security services and/or products. Presumably, the expected observations would be measurable reductions in risk and less uncertainty about outcomes.

Security, in the sense of being personally secure, can mean different things to different people, sometimes dependant on time, location, circumstance, or venue, etc. But, an often agreed upon perspective about security is, once 'x' security is in place, there will presumably be some corresponding and favorable change in risk and uncertainty.

Ultimately, the key to measuring things, security, or otherwise, and the outcomes, really lies in one's adeptness at articulating (bringing preciseness and clarity to) what one expects to observe following deployment of 'x', in this case, IT security products and services. In other words, as Douglas Hubbard suggests in his book ''How To Measure Anything: Finding The Value of Intangibles in Business' many times, if one is fuzzy about what he or she expects to observe as an outcome, (from an expenditure of IT security resources, etc.) it's likely any subsequent (quantitative) measurements will be equally fuzzy.

For starters, it may be beneficial to define the terms 'risk' and 'uncertainty'. Uncertainty is merely the lack of having complete certainty about, for example, business decisions. In other words, a particular business decision may have multiple possibilities that exist with the actual outcome remaining unknown (uncertain) because 'extra' possibilities exist.

Risk, on the other hand, is a (one) state of uncertainty, in which multiple possibilities exist, but, should they materialize, will involve some type or degree of loss or other undesirable outcome to a companies assets.

Measuring uncertainty then, (in the case of IT security) is measuring a set of probabilities that a CSO, CTO, and/or CIO perhaps has assigned to a set of possibilities. For example, following deployment of certain IT security products and services, we expect to observe a 60% reduction in the possibility-probability that personal - proprietary data and information will be extracted illicitly.

Measurement of risk, on the other hand, is a set of possibilities, each with quantified probabilities for loss, e.g., after deployment of IT security services and products, there remains a 15% probability that the company will experience theft of proprietary data and information by insiders.