Through this book, we offer what we hope is eminently practical guidance on a very thorny topic, one that is all too often skirted or avoided by information security professionals and business managers, the very people for whom useful information security metrics would be a godsend. We have laid out a rational, step-by-step process for locating, assessing, selecting, and using information security metrics that form the building blocks for a coherent information security measurement system.