This is a very vague question and too ill-defined, so take my answer attempt below with a grain of salt.
First, security market could mean several things: it could mean intrusion detection systems, intrusion prevention systems, firewalls ...etc. For intrusion detection and prevention systems there are metrics that can be measured: in an ideal (simple) world you can measure detection accuracy (false positives and false negatives, or recall rates of classifiers and machine learning techniques used in anomaly detection, see: https://en.wikipedia.org/wiki/Receiver_operating_characteristic). To measure the above though you need to know all the attacks that are targeting an organization which is not always the case, so typically one would use a data-set with legitimate traffic and known attack traffic as a base case and measure the performance metrics above using such a data-set and compare it against the ground truth of what is good and bad in that traffic.
Another big area in security is cryptography, asymmetric-key (also called public-key) encryption and signature schemes, and symmetric-key encryption schemes. These are very well understood areas and the key sizes to guarantee a certain level of security (typically measure din bits) is mathematically quantified, see for example: https://en.wikipedia.org/wiki/Key_(cryptography) and the National Institute of Standards' (NIST) recommendations: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
The key sizes may be adjusted in the coming years to be quantum-safe.
Another area/topic that may be related to your question is "cyber or cybersecurity" risk assessment. Here, NIST has a framework that organizations can follow to try to quantify and assess their level of risk, see:
https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf
and
http://www.nist.gov/cyberframework/upload/cybersecurityframework_6thworkshop_chevron.pdf
Otherwise, if someone claims to have one metric that captures the performance of security (whatever that means) then know that it is snake oil (https://en.wikipedia.org/wiki/Snake_oil).
Hello, it depends what sector of the security market you want to assess on its performance. Here is a link that might help to give you some ideas:
http://www.securebestvalue.org/
I also attach a couple of publications that deal with this issue.
Best regards,
Jaap De Waard
