Information Security Management Metrics

If you are keen to learn about security metrics and perhaps even design or at least refine your own information security measurement system, I recommend Krag Brotby's thought-provoking book Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement.  Managing information security properly demands the use of suitable metrics at all levels from defining security strategy and governance, through prioritizing resources and investing in security, down to decision support for a million day-to-day operational security management decisions.  Krag's book won't give you a checklist of things to measure, but it will lay the groundwork and set you up to define your own metrics shortlist. 

If you are using the ISO27k standards and plan to adopt the metrics advice in ISO/IEC 27004, make the time to read Krag's book before you dive right in at the deep end.