If you’ve worked in Government security, you’ll be aware of the process of reviewing independent third party vulnerability assessments. Line item by line item, the report is reviewed and discussed, usually by the approval authority, the project and the test team. The test team may arrive with the objective of making sure that their commercial liability is managed. The project may come to the table with the aim of achieving value for money on the agreed remedial actions. The authority may come with the objective of minimising the number of outstanding items. Despite the fact that this discussion might start from a spreadsheet, it’s a discussion nonetheless. And it doesn’t conclude until each party is content that their view of what security looks like, has been substantially met. You get closure when all parties agree that there are no more items to discuss, or when there is a redefinition of the problem (“It’s not a bug, it’s a feature”). Whether or not the parties agree that security has been achieved, depends on how the negotiation goes.
So security, it can be argued, doesn’t come from a spreadsheet. It’s the product of a negotiation. It’s socially constructed.