The Security Metrics That Matter, and How to Build A Framework Around Them - Ascent Conference

The Security Metrics That Matter, and How to Build A Framework Around Them

Security metrics are essential in keeping track of the progress and effectiveness of your risk management programs. They’re also important in ensuring compliance with regulations, scaling up your cybersecurity efforts, and identifying gaps in your security framework.

As in any other business area, constant monitoring is needed to achieve the best results. Here’s everything you need to know about key security metrics and using them to build a robust security system.

Metrics For Security Posture

1. Dwell Time

One of the most important metrics to monitor, dwell time provides clear insights into how long threat actors have been lurking around in your network. Dwell time for malware is 2 years on average and 43 days for ransomware (a shorter time due to the fact that the victim is informed of the attack). 

This metric helps you gauge how fast your security teams can spot and mitigate threats — the sooner they can do this, the shorter dwell times become. Monitoring this decreases the likelihood of attackers getting hold of your data and encrypting them for ransom.

2. Number of Known Vulnerabilities

Given the avalanche of attacks targeting networks on a daily basis, IT workloads are greater than ever before. The number of unpatched vulnerabilities is a metric that measures your entire network’s security, including the patches you carry out. However, with the considerable amount of networks to patch and other responsibilities placed upon IT staff, this can result in delayed updates and patching, which increases the risk of a network penetration.

Increase visibility across your network for unpatched vulnerabilities, and maintain an organized system for tracking these vulnerabilities. Calculate the mean time between the release of a security patch and when it gets implemented. Regularly run vulnerability scans to safeguard assets, especially if you have an enterprise infrastructure to keep attackers from taking advantage of unpatched networks.

3. Identity and Access Controls

The recent explosion of cloud migration and remote working has resulted in an ever-increasing number of access credentials being issued — managing them is one one of the top challenges software companies face today. Seventy-five percent of breaches are commonly caused by privilege abuse, and misconfigured admin accounts along with unsecured endpoints can put your entire infrastructure at risk. 

Track the number of admin accounts with known configuration risks. This will help you determine whether these accounts adhere to prescribed security policies; the lower the number, the lower the security risk is for your systems. 

Metrics For Regulation Compliance

Maintaining compliance with security regulations is a must; a failure to adhere can prompt regulatory penalties or risk industry accreditations. Compliance is also important for building consumer trust and establishing ample measures to protect their data and privacy. The following are the metrics to monitor under some commonly-applicable security compliance regulations:


  • Number of configured web servers
  • Number of known vulnerabilities
  • Percentage of all inventoried software that are regularly assessed for vulnerabilities


  • The mean time your IRP will take to mitigate a breach
  • Number of data access attempts (activity logs and access records will be helpful for this)
  • Number of cybersecurity incidents reported internally

Constructing a Security Metrics Program

Aside from having a robust incident response plan in place, it’s also crucial to build a comprehensive security program around the metrics you use. However, no two security frameworks are the same — it will depend on your organization’s needs and the attack surface you’re dealing with.

Joshua Goldfarb, director of product management at F5, shared a few strategies through which he was able to build a security program that worked well with their organization:

  • Identify your audiences. Your security metrics framework may vary depending on what you’re going to use it for, whether it’s for reporting to leadership and stakeholders; for tweaking or assessing your current posture; or for presenting to customers to assure data protection. Joshua notes, “a good metrics framework provides the right metrics to the appropriate audiences, even when there are multiple audiences.”
  • Aggregate strategically. Once you’ve identified who you’re building your framework for, proceed with segmenting them into tiers, with each level getting more detailed as you move up. For example, you may place broad areas such as compliance and risk management on the top level; risk assessment on the second tier; and key risk at the bottom. 
  • Tie metrics back to controls. The efficiency of metrics in reducing risk often relies on how they’re mapped to security controls. 
  • Define metric thresholds. The metrics you use must operate on specific ranges with definite values on each criterion. This is so you can accurately and objectively identify risk levels in the way that works best for your organization.
  • Measure accurately, report regularly. Metrics are there for a reason: to keep your security policies and programs on track. Accordingly, constantly measuring them and reporting key findings are important in maintaining a strong security posture. This will provide direction for your security program and allow your organization to prepare in advance for possible threats. 

Final Thoughts

Security metrics let you deal with potential threats and measure performance in an objective way. They can also help you make informed decisions as to what adjustments in your security framework may be necessary, as well as how and when to apply them. These metrics should be tailored to your organization’s needs and risk aversion level to ensure that you can address potential risks and promptly curb attacks.

READ NEXT: How SaaS Businesses Can Demonstrate Their Commitment to Application Security

Want to learn even more about how to make your platform secure and resilient? Watch our Spotlight on Cybersecurity featuring experts from SecurityScorecard!

Photo by Tech Daily on Unsplash

Privacy Notice

This privacy notice discloses the privacy practices for ( This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.


We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].