Social Network For Security Executives: Network, Learn & Collaborate
Security Metrics are essential for quantitative measurement of any security program. Below, we’ve listed some security metrics (in no particular order) which can be used to measure the performance of your Vulnerability Management (VM) program. For demonstrating performance improvements, you can create dashboards / graphs which can show trends over time for some of these metrics. Consider using Vulnerability Management Platforms or GRC Solutions to help automate collection and reporting of some of these metrics.
Measures how long it takes before known vulnerabilities get detected, across the organization. If a Heartbleed 2 or EternalBlue 2 were discovered today, how long will it take to identify all the impacted systems across the organization?
The mean time interval taken to remediate / patch vulnerabilities after identification by the Vulnerability Assessment (VA) tool. (i.e. post detection)
The time when a vulnerability was first publicly known to the time the impacted systems gets patched.
This measures the ratio of known assets (e.g.: from Asset Management solution) to those which actually get scanned. Can be split by Internal Assets & External assets.
How frequently are the assets scanned based on different groupings (e.g.: Internal Assets, BU Assets, Impacting Compliance like PCI etc.)
( Do More : Check out the top technologies in Vulnerability Assessment Domain )
Based on Risk based Prioritization of vulnerability, considering a number of factors (e.g.: CVSS, Asset Criticality, Exploit Availability, Asset Accessibility (Internet vs Intranet), Asset Owner etc.)
Based on Risk based Prioritization of vulnerabilities (outlined above), the average risk exposure can be calculated based on different groupings.
This metrics tracks the vulnerabilities which have not been remediated because of various reasons. You may set rules in your scanner to overlook such vulnerabilities but you have to track them for auditing and/or future actions as they may still impact your risk posture.
This measures the effectiveness of the remediation process. A high rate means that the patching process is flawed
What % of systems are fully patched and have no high severity vulnerability present. Can be reported by asset groups.
Do let me know if you want us to add or modify any of the listed metrics. Check out the Vulnerability Assessment market within Product Comparison Platform to get more information on these markets.