ABSTRACT
This chapter presents the main tools or practices to develop security metrics for governance and management purposes. A maturity model can be used as a multilevel communication tool in a company, since it makes it possible to justify and support the initiatives contained in the security program. The exercise of evaluating with a maturity model, much like the risk assessment exercise, is an opportunity to discuss and compare views on security issues by involving business leaders, risk managers, auditors, or other specialists. A security index will be able to summarize various indicators: risks, operational effectiveness, costs, etc. However, an index only makes sense if it aggregates indicators or measurements of the same type. If a security index such as the one proposed here shows a negative evolution compared with the previous period, we have to look for the new high risks and understand the reasons for their appearance.
