The Security Metrics That Matter, and How to Build A Framework Around Them

Security metrics are essential in keeping track of the progress and effectiveness of your risk management programs. They’re also important in ensuring compliance with regulations, scaling up your cybersecurity efforts, and identifying gaps in your security framework.

As in any other business area, constant monitoring is needed to achieve the best results. Here’s everything you need to know about key security metrics and using them to build a robust security system.

Metrics For Security Posture

1. Dwell Time

One of the most important metrics to monitor, dwell time provides clear insights into how long threat actors have been lurking around in your network. Dwell time for malware is 2 years on average and 43 days for ransomware (a shorter time due to the fact that the victim is informed of the attack). 

This metric helps you gauge how fast your security teams can spot and mitigate threats — the sooner they can do this, the shorter dwell times become. Monitoring this decreases the likelihood of attackers getting hold of your data and encrypting them for ransom.

2. Number of Known Vulnerabilities

Given the avalanche of attacks targeting networks on a daily basis, IT workloads are greater than ever before. The number of unpatched vulnerabilities is a metric that measures your entire network’s security, including the patches you carry out. However, with the considerable amount of networks to patch and other responsibilities placed upon IT staff, this can result in delayed updates and patching, which increases the risk of a network penetration.

Increase visibility across your network for unpatched vulnerabilities, and maintain an organized system for tracking these vulnerabilities. Calculate the mean time between the release of a security patch and when it gets implemented. Regularly run vulnerability scans to safeguard assets, especially if you have an enterprise infrastructure to keep attackers from taking advantage of unpatched networks.

3. Identity and Access Controls

The recent explosion of cloud migration and remote working has resulted in an ever-increasing number of access credentials being issued — managing them is one one of the top challenges software companies face today. Seventy-five percent of breaches are commonly caused by privilege abuse, and misconfigured admin accounts along with unsecured endpoints can put your entire infrastructure at risk. 

Track the number of admin accounts with known configuration risks. This will help you determine whether these accounts adhere to prescribed security policies; the lower the number, the lower the security risk is for your systems. 

Metrics For Regulation Compliance

Maintaining compliance with security regulations is a must; a failure to adhere can prompt regulatory penalties or risk industry accreditations. Compliance is also important for building consumer trust and establishing ample measures to protect their data and privacy. The following are the metrics to monitor under some commonly-applicable security compliance regulations:


  • Number of configured web servers
  • Number of known vulnerabilities
  • Percentage of all inventoried software that are regularly assessed for vulnerabilities


  • The mean time your IRP will take to mitigate a breach
  • Number of data access attempts (activity logs and access records will be helpful for this)
  • Number of cybersecurity incidents reported internally

Constructing a Security Metrics Program

Aside from having a robust incident response plan in place, it’s also crucial to build a comprehensive security program around the metrics you use. However, no two security frameworks are the same — it will depend on your organization’s needs and the attack surface you’re dealing with.

Joshua Goldfarb, director of product management at F5, shared a few strategies through which he was able to build a security program that worked well with their organization:

  • Identify your audiences. Your security metrics framework may vary depending on what you’re going to use it for, whether it’s for reporting to leadership and stakeholders; for tweaking or assessing your current posture; or for presenting to customers to assure data protection. Joshua notes, “a good metrics framework provides the right metrics to the appropriate audiences, even when there are multiple audiences.”
  • Aggregate strategically. Once you’ve identified who you’re building your framework for, proceed with segmenting them into tiers, with each level getting more detailed as you move up. For example, you may place broad areas such as compliance and risk management on the top level; risk assessment on the second tier; and key risk at the bottom. 
  • Tie metrics back to controls. The efficiency of metrics in reducing risk often relies on how they’re mapped to security controls. 
  • Define metric thresholds. The metrics you use must operate on specific ranges with definite values on each criterion. This is so you can accurately and objectively identify risk levels in the way that works best for your organization.
  • Measure accurately, report regularly. Metrics are there for a reason: to keep your security policies and programs on track. Accordingly, constantly measuring them and reporting key findings are important in maintaining a strong security posture. This will provide direction for your security program and allow your organization to prepare in advance for possible threats. 

Final Thoughts

Security metrics let you deal with potential threats and measure performance in an objective way. They can also help you make informed decisions as to what adjustments in your security framework may be necessary, as well as how and when to apply them. These metrics should be tailored to your organization’s needs and risk aversion level to ensure that you can address potential risks and promptly curb attacks.

READ NEXT: How SaaS Businesses Can Demonstrate Their Commitment to Application Security

Want to learn even more about how to make your platform secure and resilient? Watch our Spotlight on Cybersecurity featuring experts from SecurityScorecard!

Photo by Tech Daily on Unsplash

Share the Post:

Related Posts