"In any case, I would argue that absolute measures are not the goal
in cybersecurity, that relative measures are sufficient for the
simple fact that relative measures -- like is such and such risk
getting worse -- are sufficient for decision support. This has
parallels in the physical world; no police department will ever
know how much heroin is for sale, but they can tell the price, and
a rising or falling price is sufficient for decision making about
what to do and whether what was already done had a positive effect."