Quantitative Assessment?

This week I searched for a couple good articles on different opinions of quantitatively assessing controls.  In my search I found an article I got stuck on trying to wrap my mind around it, but I like the concept.  It is not totally new because some of the cybersecurity measure at work are similar.

One of the interesting items in the article was:

In practice, decision makers must constantly balance availability (i.e., the ability of end users to derive benefit from the system), confidentiality (i.e., the protection of information from access by unauthorized users), and integrity (i.e., the protection of information from unauthorized modification). This task involves complex, typically enterprise- and system-specific, tradeoffs that require an appropriate balance between properties that are not entirely consistent with each other.

 That is an issue that is quite usual, how secure do you make a system and have it still be usable? 

The method described in the article is based on time-to-compromise.   

Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity.
Hughes, J and Cybenko, G. (2013, August).