How do we measure effectiveness in the field of information security? The only consistent answer Ive found is it depends. The operational security teams at various companies will likely be using some form of risk management process though whether they measure relative results or specific financial results will also vary. I hope to create a forum for discussion here where we can have fun discussing all manner of security topics, but with the recurring theme of seeing if we can make it practical, useful and measurable. If you have thoughts or questions send comments my way and we can dig into them together.”]
Source: https://www.csoonline.com/article/2136923/a-focus-on-security-metrics.html