At the RSA Conference last week, I had an interesting discussion about quantifying security. I was eating the food and drinking the beer that some vendor had cheerfully provided when I got into a discussion about whether or not it's possible to quantify security. If you could do that, it would be easy to tell whether or not your various information security initiatives made sense or not. Some might end up costing more than they provided in benefits. Others might not. And because of this, quantifying security in a meaningful way is probably one of the Holy Grails of information security.
One of the other security people that was also eating the free food and drinking the free beer claimed that it was definitely possible to find a good metric for security, even though nobody haas managed to fo it yet. Being an amateur astronomer, he then digressed into how defining the diameter of either Jupiter or a black hole provides a good example of things that look like they're hard to measure, but when you think about them, it turns out that good solutions are indeed possible.
With Jupiter, for example, you really just have a big ball of gas. Yet if you look up Jupiter on Wikipedia, you'll find that it has a well-defined diameter. Apparently, the convention is to say that the radius of a gas giant is where the gas reaches 1 atmosphere of pressure.
And with a black hole, remember that they distort space, so that the usual meaning of the size of an object doesn't apply to them very well. You definitely can't measure the diameter of a black hole with a yard stick. The convention for this is apparently to measure the circumference of the black hole's event horizon and to then divide by 2π to get the effective radius of the black hole.
So, the amateur astronomer claimed, if it's possible to define useful metrics in those cases, it's surely possible to define a metric for information security that makes sense.