This document discusses security metrics and summarizes several perspectives on developing and using metrics. It describes growing areas of interest including software security, modeling, and benchmarking. It also summarizes experiences with security metrics from organizations like GE, the Department of Veterans Affairs, and Intel. These cases highlight the importance of clear definitions, focus on high impact events, predictive modeling, and gathering substantial baseline data. The document also reviews standards, common metric types, and challenges around managing to metrics and measuring the right things.