Take a look at this excellent blog from Danny Lieberman, a software security expert. He draws an interesting parallel between the problems of measuring the impact of information security risk and mitigation, with measuring the impact of revenue leakage and mitigation. I am no expert on information security, but I can sympathize that, in an imperfect world, it is difficult to devise a ruler we can use to measure its imperfections.