Establishing your goals, asking the questions that help you understand how to achieve those goals, and defining the metrics that allow you to answer your questions all inevitably lead you to the central component of any successful metrics program: data. IT security metrics, like any measurements, are really about collecting and analyzing data based on the observations that you make. The metrics are simply a means of organizing and defining the data. So all the rules of good metrics apply:
You should understand your data.
You should use your data.
You should gain value and insight from your data.
You will learn about ...