How to measure performance of Plant Security Manager?

That depends on whether there are a statistically significant number of incidents and a statistically significant change. If, for example, a typical rate is 500 incidents per million hours, and the rate drops to 400, then you have something measurable. If the rate is more like 10 incidents and it drops to 8, then the change can't be differentiated from random variation. If you want to come up with something quantifiable, then it needs to be meaningful and statistically valid.

Also, if you're going to use numbers as an evaluation measurement, then you should state explicit goals related to those numbers. Asking to "upgrade" the rate doesn't give the person a target, other than to say it shouldn't get any worse. Using the above example, someone could say the goal was met if the incident rate went from 500 to 499, even though there was clearly no real improvement. Stating a goal like "reduce the number of security incidents by 5%" is more meaningful.

Finally, be careful what you ask for. Once you start counting performance metrics, people will start looking for ways to game the system. If, for example, you have a large number of minor incidents, and a very small number of very serious ones (and I'll speculate that this is true in security), the metric gives the person being evaluated an incentive to ignore the serious issues in order to make a numbers goal by reducing the large number of less important violations. For this reason, I think it's very important that performance counters be only part of an evaluation.