Holistic security metrics

Yet again today I find my blood pressure reading as I read yet another incredibly biased pronouncement on security metrics from security vendors:
"Do you know what security metrics are right for your organization? For a holistic view, both network and host metrics are required, including firewalls, routers, load balancers, and hosts."
To claim that having network and host security metrics qualifies as holistic almost beggars belief, for any thinking person's definition of the term but I'm afraid it's typical of the incredibly myopic purely technical perspective on security metrics, continually reiterated for blatantly obvious marketing reasons by the purveyors of ... IT security products.

Being sick and tired of explaining that IT security is a dead end off the main information security highway, I'll merely suggest a few non-technical security metrics that might get us a tiny bit closer towards a truly holistic view:

For an holistic view of information security, I respectfully submit that "network and host metrics" fall woefully short of sufficient.  They are needed, yes, but they are definitely not enough.