Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Incident Response

Using Relative Metrics to Measure Security Program Success

In my previous column, I discussed the “So What Factor”, which reminds us that we must know our audience.  Many of the people we interact with professionally will not be as enamored by the beauty or elegance of a technical solution as we are.  Instead, they will be more concerned with consequences, effects, and results.

In my previous column, I discussed the “So What Factor”, which reminds us that we must know our audience.  Many of the people we interact with professionally will not be as enamored by the beauty or elegance of a technical solution as we are.  Instead, they will be more concerned with consequences, effects, and results. As such, it’s important to remember to communicate appropriately towards those ends.

If we are successful in our communication efforts, we may obtain the budgetary resources we are after. If we are able to obtain those budgetary resources, we will be able to implement the programs necessary to address the risks we communicated.  At that point, our executives will soon want to measure the effectiveness of their investment. This should come as no surprise, of course. But how can we effectively measure our success and progress?  This is an extremely important question, and one that presents a great challenge to most organizations.  It is a topic that I would like to try and address in this post, as previously promised.

Security MetricsWhen looking to measure the success and progress of a security program, it is important to think about what success and progress actually mean.  Or, to put it another way, it helps to think about what we are trying to achieve when thinking about how to measure our achievement of that.  What are the risks we are trying to mitigate?  What are the goals and priorities we have enumerated?

When we think about metrics in these terms, it’s clear that absolute metrics don’t help us very much in measurement. In other words, they don’t help us understand our success and progress against our goals and priorities because they are not in any way tied to or mapped to our goals and priorities.  We need more meaningful metrics in order to properly evaluate ourselves – metrics that are relevant to the risk and threats faced by the business.

To see this illustrated in a simple example, let’s examine at a simple metric that many organizations use on a daily or weekly basis: the number of compromised endpoints over a given time period.  At first glance, this may seem like a decent metric, but allow me to ask a simple question. If we see one compromised endpoint in a given day, does that mean we’re doing better than if we see 100 compromised endpoints in a given day?  Find it difficult to answer that question?  You’re not alone.

There are a number of issues with looking at metrics like these.  First off, our example metric implicitly assumes timely and accurate detection. If that assumption were true, perhaps it would be easier to work with this metric. What is the issue with this assumption you ask?  Our example metric assumes that an organization’s detection works, and that it works well. In practice, however, this turns out to be a fairly unreasonable assumption.  Detection is difficult. Timely and accurate detection is extremely difficult (though not impossible).  Because of this, we are always effectively measuring a biased sample. Even if we assume that our analysis and forensics bring us to the correct conclusion 100% of the time, we can still never know if what we’ve detected is anywhere near ground truth.

Further, this metric actually penalizes organizations that have better detection over organizations that have worse detection.  How so?  Say Company A has good detection.  Given the volume of malicious re-directs and phishing emails out there, sooner or later, no matter how good Company A’s defenses are, their users will fall victim to some of these campaigns.  When that happens, Company A will detect the compromised endpoints and contain and remediate them in a timely manner.  Say that Company B does not have good detection.  Because of this, they will not detect these compromised endpoints, and the endpoints will remain infected for days, weeks, or months.  If we look only at absolute metrics, such as our example metric, Company B seems to have “better security” than Company A.  Preposterous!  Yet, unfortunately, this is how many organizations measure the effectiveness of their security programs.

In addition to the sample bias I’ve just discussed, absolute metrics have another critical flaw. Absolute metrics do not actually help us understand our success and progress relative to our goals and priorities.  Ultimately, what we measure ought to tell us what we are doing well, and where we need to improve.  That is one key purpose of metrics, at least as I understand them.

Enter relative metrics. What are relative metrics you ask?  Relative metrics are metrics that are tied to the risks, goals, and priorities that the organization has enumerated strategically. The goal of any security program is to mitigate the risk posed by the threat landscape through goals and priorities strategically focused on achieving that end.  This concept has been discussed elsewhere, including in one of my previous SecurityWeek pieces entitled “Is Security An Unsolvable Problem?

Advertisement. Scroll to continue reading.

Let’s walk through an example of a relative metric to help convey the concept.  Say that one of the risks we want to mitigate is the theft of payment card data.  This example is likely on the minds of many people these days.  Let’s use a simple metric to measure how we are doing at mitigating that risk: number of payment cards stolen from our organization over a given time period.  Let’s revisit Company A and Company B and see how they perform.  Say Company A detects 100 infected Point-of-sale (POS) systems, but is able to contain and remediate those endpoints before any data has been taken due to Company A’s timely and accurate detection capabilities.  On the other hand, Company B does not detect any compromised Point-of-sale (POS) systems.  The POS systems remain infected for months, and millions of payment cards are stolen. Recall that with the absolute metric, Company B appeared to have a better security program than Company A. When we use a relative metric, however, it is clear that Company A’s security program is much better – at least when it comes to mitigating this particular risk that we are measuring.

Organizations have historically used absolute metrics to measure the success and progress of their security programs.  While there is much conventional wisdom around this approach, there is little logical basis for it. Instead, organizations should seek to develop relative metrics to measure their success and progress against the risks, goals, and priorities they have enumerated. These more meaningful metrics allow organizations to hone in on what they do well and what they can improve. These more accurate measurements allow organizations to make changes in a more scientific manner, ultimately leading to an improved security posture.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...