In a Firemon sponsored Ponemon study respondents were asked to rate the importance of specific metrics in communicating the state of security risk to senior executives and IT management.

The following metrics are considered to be most important in achieving more effective communications. 

• Metrics on compliance with security standards and frameworks. Metrics most often used are length of time to implement security patches and the reduction in audit findings, especially repeat findings.
• Metrics on the management of security threat. Metrics most often used are reduction in the number of known vulnerabilities and percentage of endpoints free of malware and viruses. 
• Metrics on the minimization of disruption to business & IT operations. Metrics most often used is reduction in unplanned system downtime. 
• Metrics on staff and employee competence. Metrics most often used is number of end users receiving appropriate training. 
• Metrics on efficient management of resources and spending. Metrics most often used is reduction in the cost of security management activities. 
• Time-dependent metrics on the discovery and containment of compromises and breaches. Metrics most often used are mean time to fix, to identify and know root causes. 
• Metrics on the minimization of third-party security risks. Metrics most often used is the number of third parties that attest to meeting compliance and security standards.

 The full study can be found here.