ABSTRACT
It is evident that we must measure to manage and yet as we have demonstrated, most approaches to contemporary metrics are not useful for management or strategic purposes and, all too often, not particularly beneficial for operational decisions either. It is the hope that the shift in perspective offered will allow a more focused approach toward developing methods for collecting the information needed for more effective information security management.
