An efficient IT security management relies upon the ability to make a good compromise between the cost of security countermeasures to be implemented, and the reality of informational risks an organization have to face. In fact, it concerns the capacity of an IT security manager to make decisions in a dynamic and complex environment. Even a well-experienced manager needs reliable tools to optimize the decision making process. The aim of this paper is to propose some relevant metrics and measurements in order to facilitate the decision making and to improve performance and accountability in security measures and procedures. We propose an approach to obtain some meaningful and useful metrics and measurements, to assess the Information Security Preparedness Level in a continuing improvement scope.