I’m often asked to help quantify the success of a security program and create incentives. I was recently trying to explain the dangers of measuring the wrong numbers, when I found a book called Measuring and Managing Performance in Organizations. Looks very relevant.
Because people often react with unanticipated sophistication when they are being measured, measurement-based management systems can become dysfunctional, interfering with achievement of intended results. Fortunately, as the author shows, measurement dysfunction follows a pattern that can be identified and avoided.
The author’s findings are bolstered by interviews with eight recognized experts in the use of measurement to manage computer software development: David N. Card, of Software Productivity Solutions; Tom DeMarco, of the Atlantic Systems Guild; Capers Jones, of Software Productivity Research; John Musa, of AT&T Bell Laboratories; Daniel J. Paulish, of Siemens Corporate Research; Lawrence H. Putnam, of Quantitative Software Management; E. O. Tilford, Sr., of Fissure; plus the anonymous Expert X.