What cannot be measured cannot be managed. This is a commonly accepted business paradigm, yet its acceptance within the security industry is not as far reaching as in other industries. Simply put, data-driven security refers to using measurable factors to drive a security program. While not all elements of a security program lend themselves to measurement, many components can be measured effectively. For example, physical 2protection systems are measured via penetration times, and barriers are measured using delay and defeat times. Other security components can be measured, though not mathematically, including the morale of protection forces.