Top 10 Metrics for your Vulnerability Management Program

Security Metrics are essential for quantitative measurement of any security program. Below, we’ve listed some security metrics (in no particular order) which can be used to measure the performance of your Vulnerability Management (VM) program. For demonstrating performance improvements, you can create dashboards / graphs which can show trends over time for some of these metrics. Consider  using Vulnerability Management Platforms or GRC Solutions to help automate collection and reporting of some of these metrics.


  1. Mean Time to Detect

    Measures how long it takes before known vulnerabilities get detected, across the organization. If a Heartbleed 2 or EternalBlue 2 were discovered today, how long will it take to identify all the impacted systems across the organization?

  2. Mean Time to Resolve

    The mean time interval taken to remediate / patch vulnerabilities after identification by the Vulnerability Assessment (VA) tool. (i.e. post detection)

  3. Average Window of Exposure

    The time when a vulnerability was first publicly known to the time the impacted systems gets patched.

  4. Scanner Coverage

    This measures the ratio of known assets (e.g.: from Asset Management solution) to those which actually get scanned. Can be split by Internal Assets & External assets.

  5. Scan Frequency by Asset Group

    How frequently are the assets scanned based on different groupings (e.g.: Internal Assets, BU Assets, Impacting Compliance like PCI etc.)

    ( Do More : Check out the top technologies in Vulnerability Assessment Domain )

  6. Number of Open Critical / High Vulnerabilities

    Based on Risk based Prioritization of vulnerability, considering a number of factors (e.g.: CVSS, Asset Criticality, Exploit Availability, Asset Accessibility (Internet vs Intranet), Asset Owner etc.)

  7. Average Risk by BU / Asset Group etc.

    Based on Risk based Prioritization of vulnerabilities (outlined above), the average risk exposure can be calculated based on different groupings.

  8. Number of Exceptions Granted

    This metrics tracks the vulnerabilities which have not been remediated because of various reasons. You may set rules in your scanner to overlook such vulnerabilities but you have to track them for auditing and/or future actions as they may still impact your risk posture.

  9. Vulnerability Reopen Rate

    This measures the effectiveness of the remediation process. A high rate means that the patching process is flawed

  10. % of Systems with no open High / Critical Vulnerability

    What % of systems are fully patched and have no high severity vulnerability present. Can be reported by asset groups.

Do let me know if you want us to add or modify any of the listed metrics. Check out the Vulnerability Assessment market within Product Comparison Platform to get more information on these markets.

Views: 29

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service