Levels of spam are currently down, quite substantially. It's reportedly because a major source has gone off the air. But has the threat gone away? Unfortunately not. In fact, it illustrates one of the perils of over-reliance on security metrics.
Do not dismiss metrics. Visibility is a cornerstone of security. You cannot manage security without sight of threats, vulnerabilities and events. Metrics are a natural development in this direction, as well as an obvious criterion for performance measurement.
But seeing should not imply believing. Many metrics are selected to achieve a bonus, to justify a business case, or to complete a security management framework. These are the wrong reasons for the enterprise, Security metrics can help identify and to justify trends. But events are subject to wild swings, often unconnected to the quality of the security management framework.
Given that the general trend is for ever-increasing security
incidents, it makes sense to anticipate a world with greater incidents. But do
not place too much reliance on real-time statistics. Every now and then, we
will experience a quiet period. Do not be fooled. We are on a collision course to a world of information insecurity.