Security Metrics and Measurement

3.

Core Security Metric Domains

3.1.

Vulnerability Management Metrics

3.1.1.

Vulnerability Discovery and Coverage

3.1.1.1.

Vulnerability Scanning Coverage

3.1.1.1.1.

Percentage of Assets Scanned

3.1.1.1.2.

Scan Frequency Compliance

3.1.1.1.3.

Coverage by Asset Type

3.1.1.2.

Vulnerability Detection Effectiveness

3.1.1.2.1.

Time to Detect Vulnerabilities

3.1.1.2.2.

Detection Rate by Severity

3.1.1.2.3.

False Positive Rates

3.1.2.

Vulnerability Remediation Performance

3.1.2.1.

Time to Remediate Vulnerabilities

3.1.2.1.1.

By Severity Level

3.1.2.1.1.1.

Critical Vulnerabilities

3.1.2.1.1.2.

High Severity Vulnerabilities

3.1.2.1.1.3.

Medium Severity Vulnerabilities

3.1.2.1.1.4.

Low Severity Vulnerabilities

3.1.2.1.2.

By Asset Criticality

3.1.2.1.2.1.

Mission-Critical Assets

3.1.2.1.2.2.

High-Value Assets

3.1.2.1.2.3.

Standard Assets

3.1.2.2.

Mean Time to Patch (MTTP)

3.1.2.2.1.

By Vulnerability Type

3.1.2.2.2.

By System Category

3.1.2.3.

Remediation Rate Trends

3.1.2.3.1.

Monthly Remediation Rates

3.1.2.3.2.

Quarterly Performance

3.1.3.

Vulnerability Inventory Management

3.1.3.1.

Number of Open Vulnerabilities

3.1.3.1.1.

By Severity Classification

3.1.3.1.2.

3.1.3.1.3.

By Business Unit

3.1.3.2.

Vulnerability Aging Analysis

3.1.3.2.1.

Age Distribution

3.1.3.2.2.

Overdue Remediation Tracking

3.1.3.3.

Vulnerability Re-opening Rate

3.1.3.3.1.

Root Cause Analysis

3.1.3.3.2.

Prevention Measures

3.2.

Incident Response and Management Metrics

3.2.1.

Incident Detection Performance

3.2.1.1.

Mean Time to Detect (MTTD)

3.2.1.1.1.

By Incident Type

3.2.1.1.2.

By Detection Method

3.2.1.2.

Detection Source Analysis

3.2.1.2.1.

Automated Detection

3.2.1.2.2.

Manual Detection

3.2.1.2.3.

External Notification

3.2.2.

Incident Response Timeliness

3.2.2.1.

Mean Time to Acknowledge (MTTA)

3.2.2.1.1.

By Severity Level

3.2.2.1.2.

By Response Team

3.2.2.2.

Mean Time to Contain (MTTC)

3.2.2.2.1.

Containment Effectiveness

3.2.2.2.2.

Escalation Procedures

3.2.2.3.

Mean Time to Resolve (MTTR)

3.2.2.3.1.

Resolution Quality Metrics

3.2.2.3.2.

Customer Satisfaction

3.2.3.

Incident Volume and Classification

3.2.3.1.

Number of Security Incidents

3.2.3.1.1.

By Incident Type

3.2.3.1.1.1.

Malware Infections

3.2.3.1.1.2.

Phishing Attacks

3.2.3.1.1.3.

3.2.3.1.1.4.

Insider Threats

3.2.3.1.1.5.

3.2.3.1.2.

By Severity Classification

3.2.3.1.2.1.

Critical Incidents

3.2.3.1.2.2.

High Priority Incidents

3.2.3.1.2.3.

Medium Priority Incidents

3.2.3.1.2.4.

Low Priority Incidents

3.2.3.1.3.

By Source or Vector

3.2.4.

Incident Management Efficiency

3.2.4.1.

Incident Backlog Management

3.2.4.1.1.

Number of Unresolved Incidents

3.2.4.1.2.

Average Age of Open Incidents

3.2.4.1.3.

3.2.4.2.

Resource Utilization

3.2.4.2.1.

Response Team Workload

3.2.4.2.2.

Escalation Frequency

3.2.5.

Incident Cost Analysis

3.2.5.1.

Cost per Incident

3.2.5.1.1.

Direct Response Costs

3.2.5.1.2.

Indirect Business Impact

3.2.5.1.3.

3.2.5.2.

Total Cost of Incidents

3.2.5.2.1.

Monthly and Annual Totals

3.2.5.2.2.

Cost Trend Analysis

3.3.

Identity and Access Management (IAM) Metrics

3.3.1.

Access Governance Metrics

3.3.1.1.

Privileged Access Management

3.3.1.1.1.

Percentage of Privileged Accounts

3.3.1.1.2.

Privileged Access Review Frequency

3.3.1.1.3.

Number of Privileged Access Violations

3.3.1.1.4.

Privileged Session Monitoring

3.3.1.2.

User Access Lifecycle Management

3.3.1.2.1.

Account Provisioning Time

3.3.1.2.2.

Access Recertification Completion Rate

3.3.1.2.3.

Time to De-provision Access

3.3.1.2.4.

Number of Orphaned Accounts

3.3.1.3.

Role-Based Access Control (RBAC) Effectiveness

3.3.1.3.1.

Role Assignment Accuracy

3.3.1.3.2.

Role Review Frequency

3.3.1.3.3.

Segregation of Duties Violations

3.3.2.

Authentication Security Metrics

3.3.2.1.

Password Policy Compliance

3.3.2.1.1.

Percentage of Users Compliant

3.3.2.1.2.

Number of Policy Violations

3.3.2.1.3.

Password Reset Frequency

3.3.2.2.

Multi-Factor Authentication (MFA) Metrics

3.3.2.2.1.

MFA Adoption Rate

3.3.2.2.2.

Coverage by System or Application

3.3.2.2.3.

MFA Bypass Incidents

3.3.2.3.

Authentication Failure Analysis

3.3.2.3.1.

Failed Login Attempts

3.3.2.3.2.

Account Lockout Frequency

3.3.2.3.3.

Suspicious Authentication Activity

3.3.3.

Identity Risk Indicators

3.3.3.1.

Dormant Account Management

3.3.3.1.1.

Number of Inactive Accounts

3.3.3.1.2.

Account Cleanup Frequency

3.3.3.2.

Access Anomaly Detection

3.3.3.2.1.

Unusual Access Patterns

3.3.3.2.2.

Off-Hours Access Attempts

3.3.3.2.3.

Geographic Access Anomalies

3.4.

Security Awareness and Training Metrics

3.4.1.

Phishing Simulation Performance

3.4.1.1.

Phishing Click Rates

3.4.1.1.1.

Overall Click Rate

3.4.1.1.2.

Click Rate by Department

3.4.1.1.3.

Click Rate Trends

3.4.1.2.

Phishing Reporting Rates

3.4.1.2.1.

Suspicious Email Reports

3.4.1.2.2.

Reporting Response Time

3.4.1.3.

Credential Submission Rates

3.4.1.3.1.

Data Entry on Fake Sites

3.4.1.3.2.

Credential Harvesting Success

3.4.1.4.

Repeat Offender Analysis

3.4.1.4.1.

Multiple Failure Tracking

3.4.1.4.2.

Targeted Training Effectiveness

3.4.2.

Training Program Effectiveness

3.4.2.1.

Training Completion Rates

3.4.2.1.1.

By Department or Business Unit

3.4.2.1.2.

By Employee Role

3.4.2.1.3.

By Training Module

3.4.2.2.

Training Assessment Scores

3.4.2.2.1.

Pre-training Assessments

3.4.2.2.2.

Post-training Assessments

3.4.2.2.3.

Knowledge Retention Testing

3.4.2.3.

Training Currency

3.4.2.3.1.

Percentage of Current Training

3.4.2.3.2.

Training Refresh Compliance

3.4.3.

Policy and Compliance Awareness

3.4.3.1.

Security Policy Acknowledgment

3.4.3.1.1.

Acknowledgment Rate

3.4.3.1.2.

Acknowledgment Timeliness

3.4.3.1.3.

Policy Update Communication

3.4.3.2.

Compliance Training Metrics

3.4.3.2.1.

Regulatory Training Completion

3.4.3.2.2.

Certification Maintenance

3.5.

Endpoint Security Metrics

3.5.1.

Endpoint Protection Coverage

3.5.1.1.

Anti-Malware Deployment

3.5.1.1.1.

Percentage of Devices Protected

3.5.1.1.2.

Protection Software Currency

3.5.1.1.3.

Update Compliance Rate

3.5.1.2.

Endpoint Detection and Response (EDR)

3.5.1.2.1.

Agent Deployment Rate

3.5.1.2.2.

Agent Health Status

3.5.1.2.3.

Detection Capability Coverage

3.5.2.

Endpoint Configuration Management

3.5.2.1.

Device Encryption Status

3.5.2.1.1.

Percentage of Encrypted Devices

3.5.2.1.2.

Encryption by Device Type

3.5.2.1.3.

Encryption Policy Compliance

3.5.2.2.

Configuration Compliance

3.5.2.2.1.

Security Baseline Adherence

3.5.2.2.2.

Configuration Drift Detection

3.5.2.2.3.

Remediation Tracking

3.5.3.

Endpoint Threat Landscape

3.5.3.1.

Malware Detection and Response

3.5.3.1.1.

Malware Incidents by Type

3.5.3.1.2.

Detection and Cleanup Time

3.5.3.1.3.

Infection Rate Trends

3.5.3.2.

Unauthorized Software Management

3.5.3.2.1.

Number of Unauthorized Applications

3.5.3.2.2.

Software Whitelist Compliance

3.5.3.2.3.

Remediation Rate

3.6.

Network Security Metrics

3.6.1.

Network Access Control

3.6.1.1.

Firewall Management

3.6.1.1.1.

Firewall Rule Review Frequency

3.6.1.1.2.

Number of Rules Reviewed

3.6.1.1.3.

Rule Optimization Metrics

3.6.1.2.

Network Segmentation Effectiveness

3.6.1.2.1.

Segment Isolation Testing

3.6.1.2.2.

Cross-Segment Traffic Analysis

3.6.1.2.3.

Micro-segmentation Coverage

3.6.2.

Network Monitoring and Detection

3.6.2.1.

Intrusion Detection and Prevention

3.6.2.1.1.

IDS/IPS Alert Volume

3.6.2.1.2.

True Positive Rate

3.6.2.1.3.

False Positive Rate

3.6.2.1.4.

Alert Response Time

3.6.2.2.

Network Traffic Analysis

3.6.2.2.1.

Baseline Traffic Patterns

3.6.2.2.2.

Anomalous Traffic Detection

3.6.2.2.3.

Bandwidth Utilization Security

3.6.3.

Network Infrastructure Security

3.6.3.1.

Port and Service Management

3.6.3.1.1.

Number of Open Ports

3.6.3.1.2.

Unused Port Identification

3.6.3.1.3.

Service Hardening Status

3.6.3.2.

Network Device Security

3.6.3.2.1.

Device Configuration Compliance

3.6.3.2.2.

Firmware Update Status

3.6.3.2.3.

Access Control Implementation

3.7.

Application Security (AppSec) Metrics

3.7.1.

Secure Development Lifecycle

3.7.1.1.

Developer Security Training

3.7.1.1.1.

Percentage of Developers Trained

3.7.1.1.2.

Training Frequency and Currency

3.7.1.1.3.

Secure Coding Competency

3.7.1.2.

Security Testing Integration

3.7.1.2.1.

Percentage of Applications Tested

3.7.1.2.2.

Testing Frequency

3.7.1.2.3.

Test Coverage Metrics

3.7.2.

Application Vulnerability Management

3.7.2.1.

Static Application Security Testing (SAST)

3.7.2.1.1.

Vulnerabilities Found per Scan

3.7.2.1.2.

Vulnerability Density Metrics

3.7.2.1.3.

Code Quality Trends

3.7.2.2.

Dynamic Application Security Testing (DAST)

3.7.2.2.1.

Runtime Vulnerability Detection

3.7.2.2.2.

Penetration Testing Results

3.7.2.2.3.

Web Application Firewall Effectiveness

3.7.2.3.

Vulnerability Remediation

3.7.2.3.1.

Time to Remediate Code Flaws

3.7.2.3.2.

Remediation Rate by Severity

3.7.2.3.3.

Re-introduction Rate

3.7.3.

Application Security Reviews

3.7.3.1.

Security Review Coverage

3.7.3.1.1.

Percentage of Applications Reviewed

3.7.3.1.2.

Review Frequency

3.7.3.1.3.

Review Depth and Quality

3.7.3.2.

Threat Modeling Metrics

3.7.3.2.1.

Threat Model Coverage

3.7.3.2.2.

Threat Identification Effectiveness

3.7.3.2.3.

Mitigation Implementation Rate

3.8.

Governance, Risk, and Compliance (GRC) Metrics

3.8.1.

Control Effectiveness Measurement

3.8.1.1.

Control Performance Scoring

3.8.1.1.1.

Control Effectiveness Score

3.8.1.1.2.

Scoring Methodology

3.8.1.1.3.

Performance Trends

3.8.1.2.

Control Testing Coverage

3.8.1.2.1.

Percentage of Controls Tested

3.8.1.2.2.

Testing Frequency

3.8.1.2.3.

Test Result Analysis

3.8.2.

Policy and Exception Management

3.8.2.1.

Policy Compliance Metrics

3.8.2.1.1.

Policy Adherence Rates

3.8.2.1.2.

Policy Violation Tracking

3.8.2.1.3.

Policy Update Compliance

3.8.2.2.

Exception Management

3.8.2.2.1.

Number of Policy Exceptions

3.8.2.2.2.

Exception Approval Process

3.8.2.2.3.

Exception Aging and Closure

3.8.3.

Audit and Assessment Management

3.8.3.1.

Audit Finding Management

3.8.3.1.1.

Number of Open Findings

3.8.3.1.2.

Time to Close Findings

3.8.3.1.3.

Finding Recurrence Rate

3.8.3.2.

Assessment Program Metrics

3.8.3.2.1.

Assessment Coverage

3.8.3.2.2.

Assessment Frequency

3.8.3.2.3.

Remediation Tracking

Previous

2. Developing a Security Metrics Program

Go to top

Next

4. Data Collection, Aggregation, and Analysis