If you’ve been in Information Security for a while you have been asked for, or have seen others get asked for, an authoritative list of security metrics. This normally results in chaotic wheel invention, i.e. coming up with a new and unsatisfactory list each time.
The goal of this primer is not to make you an expert, but to provide 1) a general overview of what makes a good security metric, and 2) give you a list of options to use as a starting point
A nice article on applying metrics to development and operations is a core tenet of devops practices. You can read a good article on this here.