How do security pros typically make the case for more, better or stronger security? Beyond scaring crowds at the beginning of presentations, how do we convince senior management that we need more resources than last year? Answer: Numbers - big numbers!\tWe still use quite a bit of fear uncertainty & doubt (FUD) as well, but metrics, dashboards and score cards are hot items right now. Yes, there are good reasons for using security metrics and big numbers.\tHere are a few recent headline examples:\tComputer viruses, trojans, malware, Ransomware, botnets: Web attacks are soaring \u2013 \u201cIn its quarterly "Threats Report," Intel subsidiary McAfee said that it had found more than 8 million new kinds of malware in the second quarter, up 23% from the first quarter. There are now more than 90 million unique strands of malware in the wild, the security company said.\u201d\tCyber Attacks On Feds Soar 680% In 6 Years: GAO \u2013 \u201cReported cybersecurity incidents at federal agencies have risen 680 percent in six years, the Government Accountability Organization testified today -- and note that key word "reported," which means that's just the ones we know about.\u201d\tGlobal cyber-security tab hits $10 billion \u2013 \u201cCyber-attacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by\u00a0Gen.\u00a0Keith Alexander, head of the\u00a0National Security Agency\u00a0and\u00a0U.S. Cyber Command, at a July\u00a0conference.\u201d\tBudget cuts and the next Pearl Harbor \u2013 \u201cBillions at stake\u201d\tBut is this the most effective strategy? There is no doubt that good measurements are essential in technology, security and all areas of business. We need to make sure that measurements that we are using are relevant and accurate.\u00a0 We need to compare where we were to where we are and where we are going. We need to ensure that we are aware of new trends and innovative approaches.\u00a0\tFind Relevant Stories\t\u00a0I found it interesting that both political parties featured speakers that told stories at their 2012 conventions. Sure there were numbers describing the federal deficit, unemployment rate, number of jobs created and more, but most speakers connected the numbers to real-life situations and personal stories.\u00a0\tI like this excerpt from the CNN article about the candidates\u2019 wives:\t\u201cWe Americans believe that a wife can tell us about her husband in ways we can't discern from ads, stump speeches, or even debates: about his personal morality, his character, how he reacts to crisis -- in short, who he really is.\u201d\tI think the same is true of making the case for cybersecurity. Sure, we need to measure progress with good numbers, but add a story or two to make the situation real to the audience you are speaking to. I like the slideshow examples provided by this Bloomberg article on Extortion in the Digital Age. Here\u2019s an excerpt from their 3rd example:\tHolding S.F.'s Network Hostage\t\u201cA San Francisco city employee was so desperate to save his job as a network technician that he hijacked the city's computers and held them hostage to protest his reassignment in 2008. Terry Childs was being transferred because of conflicts with management when he locked out his supervisors by withholding network passwords, prosecutors said. Childs's move was described by prosecutors as a "power play" to turn the city's network into a "pawn" in his feud with management. He gave up his fight after a high-profile intervention: Then-Mayor Gavin Newsom paid a visit to Childs in jail and left with the passwords. Childs was sentenced to four years in prison.\u201d\tNotice how real names, with real people about real situations with specific details builds a very\u00a0intriguing\u00a0case?\tI think security pros can learn from these stories \u2013 and be more effective if we can learn to tell the stories in ways that impact the audience we are talking to.\tWhat are your thoughts on this topic?\tAny good cyber stories to share?