One of the more confusing issues faced by security engineers today is that of provide some form of quantified metric for enterprise security. Most can give a weak, qualitative answer. “We’re pretty secure”, or “We’re ok for now”, but putting a more quantitative “dollarized” value is most often out of reach. What the executive would like is the ability to provide the similar answer to what a program manager may state related to the risk of completing a development program, for example “my program has a remaining budget of 10 million dollars, we have recognized the potential for 1.5 million dollars in risk, I have budgeted .5 million dollars to mitigate this risk to an overall programmatic risk of .3 million dollars”. One reason for this difficulty relates to how difficult it is to empirically measure IT enterprise security. Although much progress has been made in empirical measurement of discrete parts of IT systems during development, these measurements use conceptual schema developed specifically to aid the development during the applicable development phase. The models used are often models for development that, for example, aid in selection of alternatives in architecture or help determine a specific hardware or network device component. When a new system or component is added to an enterprise, adding the new systems metrics to the enterprise metrics will be difficult unless the statistics are normalized. In November 2005, the INFOSEC Research Council published its 2005 Hard Problems List [INFOSEC 2005]. Number eight in the list of eight hardest problems that IT has to solve is “Enterprise Level Security Metrics”. Since the publication of this list, it appears that little has been accomplished towards establishment of Enterprise level security metrics. True end-to-end metrics have been allusive and little progress has been made to define methodology for maintenance of a life-cycle long ontology. This presentation will review the hard problem, discuss the progress made over the last decade towards addressing the problem, and provide a brief recap of how much enterprise level security engineers provide quantitative metrics and why many do not believe the problem is real.