I'm usually ranting here about the usage of statistics, risk metrics and other quantitative approaches (as ROI) to support security decisions. Well, there is a small but very smart comment from Lindstrom regarding some of "our" arguments against those methods. I completely agree with him. That's why this blog is named "Security Balance", it's my statement that we need to pursue the balance between different approaches (security / productivity, quantitative / qualitative, network / endpoint, prevention / detection, awareness / enforcement) to achieve the best possible results. Usually my criticism over a specific subject is related to an excessive confidence about its importance of effectiveness, and it should not be taken as a suggestion to completely drop that in favor of the other side. Balance is the key to better security.