In this chapter, the authors discuss information security metrics and how they relate to risk. The authors begin with a discussion of the current state of metrics and what the goal state should look like. A review of the goals, metrics, question (QGM) approach to defining metrics is offered, and a list of sample metrics is offered and reviewed. The authors also review visibility metrics, and how to acquire data to support those metrics. Loss exposure is discussed, as well as its importance to the overall metrics program. Variability metrics are discussed and their prominence as an important part of the overall metrics program is given.