This document discusses security performance metrics and measuring information security. It begins with providing background on information security and risk management. It then discusses the evolution of security from a technical function focused on controls to a broader assurance function centered around risk management. The document notes how current risk management processes focus more on identifying and fixing issues rather than quantifying and valuing risks. It stresses the importance of security metrics in answering business questions about security investments and performance over time. The remainder provides examples of technical security metrics in areas like perimeter defense and system availability, as well as metrics for measuring security programs based on frameworks involving controls and processes for activities like risk management, policy compliance, and incident response.