If the end result is the response to an attack, why don't more metrics measure the response? Take phishing. We need to track the time it takes for IT to investigate and blackhole a phish. That's what drives organizational immunity. Also, smoothies per mile, but that's another video.