Fear, uncertainty and doubt: The pillars of justification for cyber security

One can readily find computer and network security courses in most computer science departments, but we are likely overly ambitious calling computer security a science. The profession certainly has the aspects of an art, and it is fair to call much of the work engineering, but it lacks the rigor and objectivity of a science when put into practice. Security metrics are highly desired, but they are difficult to come by. In fact, developing objective security metrics is considered to be one of the grand challenges of the field