An IT security vulnerability can be considered as an inherent weakness in a target system that could be exploited by a threat source. The underlying hypothesis in our proposal is that each identified attribute associated with the target entity to be controlled should show the highest quality satisfaction level as an elementary indicator. The higher the quality indicator value achieved per each attribute, the lower the vulnerability indicator value and therefore the potential impact from the risk standpoint. In the present work, we discuss the added value of supporting the IT security and risk assessment areas with measurement and evaluation (M&E) methods and strategy, which are based on metrics and indicators. Also we illustrate excerpts of an M&E case study for characteristics and attributes of Security, and their potential risk assessment.Sociedad Argentina de Informática e Investigación Operativa (SADIO)