He is a friend of mine. I can assure you (for whatever that's worth), that everything in the article is 100% true and accurate.

Maybe you should do some research before you just mouth off about something you obviously have no clue about. Not only have several academic studies proven the value of high-frequency trading to liquidity and improvements in market structure (Smith, Brogaard), but the common misconception that it was HFT that caused the flash crash has been shown to be false. why don't you investigate what spreads were before HFT, and tell me why it's better for people to pay $0.05/share after decimilization, or 12.5 cents/share before it? Or maybe you can just google HFT, and copy and paste the first thing that you find. Oh wait, you already did that.

I didn't see anything in the note about Risk Assessment Values from isecom.org, which is the foremost methodology for determining risk based on factual evidence of an infrastructure, as well as the other elements of one's security presence (physical, social, etc.). SecurityNOW! from CIOview (www.cioview.com) integrates this idea into a powerful tool in which one can assess IT investments based expected loss, and measure ROI.

Of course, I'm biased being a volunteer at ISECOM, but I still think these are important to bring up in any Security Metrics conversation.