1.) Threat and Risk Mapping Analysis in Sudan
Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless:

http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/

2.)  I thought Gunnar did a great job on these two posts:

Begin The Begin, Cloud Security : http://1raindrop.typepad.com/1_raindrop/2009/06/begin-the-begin-cloud-security.html

Enterprise Security Priorities : http://1raindrop.typepad.com/1_raindrop/2009/06/enterprise-security-priorities.html

3.)  Simlar to Gunnar’s Security Priorities is this link from CIO mag (it’s pretty dry until the second page, so I linked to that one):

Valuing an IT Service : http://www.cioupdate.com/trends/article.php/11047_3821986_2/How-to-Assign-Value-to-an-IT-Service.htm

4.)  If Physics is simply the act of observing the world around us and building mathematical models to describe it, then here’s a fun little post on Love

from the NYT (SFW): http://judson.blogs.nytimes.com/2009/05/26/guest-column-loves-me-loves-me-not-do-the-math/?em

5.)  Talk about NewSchool in practice, if you’re not subscribing to Chris Hayes Risktical blog, you’re missing out.  Here’s something he did this week that  I really liked:

The Risk Is Right http://risktical.com/2009/05/21/the-risk-is-right/ – one word, hardcore.

6.)  Finally, I’ve often said that even if you hate risk analysis, you’re doing it anyway.  Just in a bad, ad-hoc manner.  Here’s something from Gelman’s blog that suggests that you’re gonna have to eventually be “New School”:

Those who don’t know statistics are doomed to . . . rely on statistics anyway :  http://www.stat.columbia.edu/~cook/movabletype/archives/2009/06/those_who_dont.html It’s even got a Bill James mention!