Information security metrics don’t have to rely on heavy-duty math to be effective, but they also don’t have to be dumbed down to red, yellow, green. This article from CSO presents five smart measurements—and effective ways to present them. Metrics have a bad rep. Mention metrics to a CISO and immediately his thoughts may well turn to sigmas, standard deviations and, probably, probability. There’s no denying that proven economic principles can—and should—be applied to information security investments. They’re sitting in your log files, on your network, in the brains of your business unit managers, just waiting to be harvested. The aritcle discusses five such metrics, along with some ways to present them visually, as imagined by Andrew Jaquith. At @stake he invented a popular analytic methodology that is used to evaluate a client’s risk in its application portfolio. More recently he started Securitymetrics.org, a website open to all security professionals for sharing, contributing and advancing the use of metrics in information security.