OMG, some people (usually ex-Gartner... for whatever mystical reason) have this uncanny ability to present information in a way that just triggers an avalanche of insight. Here is an example: "The Two Kinds Of Security Threats, And How They Affect Your Life " from Rich Mogul.
Some quotes: "We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email)."
"Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater."
"The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature."
Overall, a MUST read.
God, please, send us some credible security metrics... please.