In the context of information security, physical security is about protecting tangible assets holding, communicating or processing valuable information - primarily ICT systems and data storage media - from physical incidents such as theft, criminal or accidental damage, loss, sabotage, fire, flood, mechanical breakdown, electrical surges, dips and power cuts, static discharge, magnetic or electrical interference etc. that would damage the information content or the services provided.
Strictly speaking, it includes physical protection for people, workers particularly, since we also constitute physical information assets - well most of us anyway (some are liabilities!). 'Health and safety' is, in a sense, part of information security, along with substantial parts of HR.
This very brief metrics discussion paper, written seven years ago, does not explore the entire scope of physical security but mentions just a few considerations around physical security targets and measurements. It was not one of our best efforts ... and yet it might just prompt you to think of something worth measuring in your situation.
I promise the quality of this series of papers improves as we head into 2015. Our understanding of metrics improved markedly as we did the thinking and research for the PRAGMATIC book, on top of which we revisited, updated and expanded on the older papers as we completed successive cycles of information security topics. Yes, I know it's "jam tomorrow" but stick with us and enjoy the journey.