This document discusses measures and metrics for corporate security. It is divided into 4 sections. The first section provides an introduction and overview on the importance of metrics for security from different contexts like risk management, regulation and legal. The second section describes different types of metrics and performance indicators that can be used, including dashboards, risk analyses, vulnerability assessments and leading vs lagging indicators. The third section discusses building a metrics model tailored to each organization's needs by considering factors like business type, important data, objectives and metrics to measure. The last section provides examples of specific security-related measures around areas like risk communication, audits, investigations and operations. It concludes with examples of risk measure maps.