I moderated a "Security Metrics Exchange" peer-to-peer roundtable at RSA 2009. Here is the abstract:
discuss real-world metrics in use. To participate, you must bring your own "Top
5" metrics and be ready to discuss their value proposition and use cases. We
will interactively evaluate the metrics and everyone will leave with the group's
list of the most useful metrics in today's enteprise security environments."
So, the goal was a simple one, and it is clear that there is no overarching structure to the metrics, but I think it is useful to see what metrics were top-of-mind at the session. Here are the ones we came up with (and discussed) during the session:
% of Managers that Certify User Roles
Number of Password Resets
Cost per Password Reset
Number of Failed Logins
Number of Stale Accounts
Dead but Active Accounts
Login Spoof Attempts
Avg Time to Provision
Number of Privileged User Accounts
Number of VPN Connections per Week
User Account Growth Rate
% Systems Patched {OS; Platform use}
% Bandwidth Change
Number of Viruses
Avg Time to Recover
Avg Vulns per Host
Number of Applications
Number of Ports Open
Number of Servers
Number of Desktops
% of Systems with AV Installed {turned on;
up-to-date}
Number of Exploitable Vulns
% of Security-related Defects
Avg Time to Find Vulns
Incidents per Month
I am not a fan of some of these metrics, but they are interesting nonetheless. I hope to find time to analyze them further in the future.
For some of these, I wouldn’t even know if the metric was measuring badness or goodness.
One additional possibility:
“% of pingable systems that have been identified and assigned an owner.”