-Aims to positively influence security behavior and culture
-Big picture metrics:
a. How fast does risk arrive?
b. How long does risk survive?
c. How fast are we getting rid of risk?
d. How frequently do we get extreme vulnerabilities?
e. How much risk is moving from dev to prod?