This is an incomplete thought...
Using an analogy to healthcare or epidemiology is certainly not a new thing. Some circles have been talking about this idea for quite a while. In fact, one need only think about malware being referred to as "viruses" to get an immediate connection. It's also fairly similar to the ecological analogy that some have posed in the past, particularly as it relates to application security.
That said, I noticed this week at Secure360 that many risk management people were now talking about the analogy to epidemiology, not only as it relates to evidence-based medicine and evidence-based risk management, but also as an overarching concept.
I've not had adequate time to fully parse through this notion, but intuitively I rather like the concept. It seems to map fairly cleanly to many security and risk management problems, and it certainly aligns very well with the imperative for business survivability. Whether it will continue to hold-up to other practices remains to be seen, but for a starting point we could do much worse. It also provides a very good case of where compliance regimes can be beneficial (think of all the places where checklists are relied upon to ensure patient safety and wellbeing).
Once this idea has had some time to percolate, I'll try to loop back and write more about it...
