Passing the Sniff Test: Security Metrics and Measures

Cigital dishes dirt on top security metrics that don’t work well, why they’re ineffective and which measurable to consider instead.
Security Metric Sniff Test #1
Security Metric Sniff Test #2
Ineffective Metric #1: Mean Time To Incident Recovery
Alternative To Consider: Ratio Of Incidents That Should Have Been Already Known
Ineffective Metric #2: Mean Time Between Incidents
Alternative To Consider: Control Effectiveness
Ineffective Metric #3: Mean Time To Implement A Patch
Alternative To Consider: Window Of Exposure


Security metrics are one of the key pillars of establishing a mature cybersecurity program. We’ve spilled a lot of digital ink over the years at Dark Reading discussing some of the top security metrics that organizations should consider collecting and analyzing. But are all security metrics good ones? According to Caroline Wong, security initiative director at Cigital, the short answer is, ‘Nope!’ She’s seen organizations waste resources on measuring things that don’t really matter to the business and do nothing to help drive improvement.

“I've really been doing security metrics for about ten years, so I've had more time to think about stuff,” she says. “And one of the things that I've realized is that there are some metrics which organizations track that I really just don't think are useful.”

Caroline gave us the lowdown on metrics effectiveness. She started by offering some key sniff tests for determining if your metric is a stinker. Then she offered up some examples of ineffective metrics, as well as alternatives that will better help move the needle for security.   


Next slide
Recommended Reading: