Just so we are clear Andrew Jaquith's book "Security Metrics", is not a re-run of the Return on Security Investment (ROSI) concept:
"Mercifully, the ROI fad has gone the way of the Macarena"
Instead the book is about specific, actionable ways - to measure security, how to analyze the data, and how to compose the findings to build up understanding about security.
If you work hands on in security you should read it. If you are a CISO or security manager, then you should read it & buy a copy for each of your staff, wait three weeks and ping you staff asking - "where are the security metrics?"
Full review this week.