Security Metrics as a Clothing Size??

Today I read about the Flame virus on the Washington Post and all I could think was "hmmmm, what an odd way to describe the virus."  The author's point seems to be that the virus is extremely complex and includes a range of functions and features making it resemble a complete software package more than run-of-the-mill malware.  However, I still don't know that classifying it as "20 times bigger" than Stuxnet really conveys any of that to the reader with a security background.

What is the measurement by which we are saying it is 20 times bigger anyway?  Are we measuring by lines of code or the size of the malware on disk?  Maybe it just has 20 times more functions.

Thankfully, there was at least a quote regarding the fact that size is not a great measure of the sophistication of software, but maybe I'm being backwards on this.  If we are trying to convey information about security issues to laypeople, then perhaps classifying them like this is the way to go.  Maybe we need to simply rate them from XXS to XXL with Code Red and Nimda falling somewhere around M.  The problem with that though is we're eventually going to have to keep adding Xs to the XXL as attacks become more advanced.

In any case, I'm not trying to say the article in the Post was a bad one, but that way of describing it (and seeing that as the headline) seemed odd to me.  I'm interested in other opinions on the matter though so post comments.

More from Our Cybersecurity Experts