Information security metrics are quantitative or qualitative measures that indicate the performance and effectiveness of the information security processes, controls, and objectives. The primary goal of developing information security metrics is to enable continuous improvement of the information security program and to align it with the business goals and strategy. Information security metrics can help to identify the strengths and weaknesses of thesecurity program, to monitor and report on the progress and outcomes of the security initiatives, to evaluate the return on investment and value of the security activities, and to provide feedback and guidance for improvement actions. Information security metrics should be relevant, reliable, consistent, and actionable. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2, p. 116-117