OK, we have somehow found the time to devote to security metrics. We have walked through a structured process for specifying and scoring a single metric, and we’ve practiced our skills on 150+ metrics examples. But how, exactly, do we establish performance measures that will derive maximum value from information security? We have a way to go yet.