A few pages ago, we mentioned there is no shortage of things that could be measured in relation to information security. Anything that changes can be measured both in terms of the amount and the rate of change and possibly in other dimensions as well. Given the dynamic and complex nature of information security, there are a great number of things we could measure. As this chapter will soon show, it’s really not hard to come up with a long list of potential security metrics, all candidates for our information security measurement system.