We develop quantitative metrics to guide security improvements. These move us beyond “expert” opinion toward a science and engineering discipline for security. We quanitfy exposure and risk to guide developers and optimization tools. These metrics must be mechanically and objectively computable.