I just finished my first read of Security Metrics, Replacing Fear, Uncertainty and Doubt, by Andrew Jaquith. The book attempts to make information security measurable, by defining and discussing a (large) number of metrics. The book is interesting, funny at times, and addresses an issue that many information security professionals, who deal with senior management, are familiar with.

I would recommend this book for information security professionals.