You cannot improve what you cannot measure. This also applies to Information Security. We do not have well accepted measurements and metrics for information security although many standards have described them. The workshop will create background by explaining some well known Risk Management standards from ISO and NIST and then proceed to establish criteria for establishing measurements for information security. A case study for a major bank will be discussed where a comprehensive metrics program was developed. A practical methodology for setting up a good risk measurements program will be explained.