A. I will assume you are asking specifically about security executives given this Q&A's topic area. There are many metrics that can be used (in fact we have identified 375; read more about this in the book, Measures and Metrics in Corporate Security). However, the issue many security practitioners incur is a) not measuring at all or b) measuring things by simply counting them (e.g., workplace violence incidents or lost laptops), rather than demonstrating the value Security brings to the business. By way of example, convey savings to the company by your program's reduction of workplace violence issues. That is, the cost of managing an event and lost employee time; or cost savings by reducing any potential acts because of your background due diligence program.
Unfortunately, there are no measures and metrics standards in security because organizational factors vary widely and play an important role in how you develop your metrics program. For example, type of industry, size of company, corporate culture, level of regulatory pressure and executive-level drivers influence what is deemed important to measure. Because of this, the Security Executive Council created a tool to help security executives understand and communicate what they are doing in terms of risks that are of concern to the Board. The Board Level Risk model illustrates the main categories of risk and is based on our research of many companies’ enterprise risk assessment results to find "commonalities." These categories are matched to security program mitigation efforts. Using this tool security practitioners are now working within strategic goals of the business, which helps brief senior management on how security fits into the organization's overall risk management program. For more information see the article: Managing Enterprise-Wide Board Risk; also view the Council's Solution Snapshot video: Board Level Risk Categories & Security Program Elements (v.3).