A Few “Favorite” Security Metrics – RSA 2009 Edition

I moderated a "Security Metrics Exchange" peer-to-peer roundtable at RSA 2009. Here is the abstract:

"Many metrics sessions never actually get to metrics. In this p2p, we will
discuss real-world metrics in use. To participate, you must bring your own "Top
5" metrics and be ready to discuss their value proposition and use cases. We
will interactively evaluate the metrics and everyone will leave with the group's
list of the most useful metrics in today's enteprise security environments."

So, the goal was a simple one, and it is clear that there is no overarching structure to the metrics, but I think it is useful to see what metrics were top-of-mind at the session. Here are the ones we came up with (and discussed) during the session:

% of Managers that Certify User Roles

Number of Password Resets

Cost per Password Reset

Number of Failed Logins

Number of Stale Accounts

Dead but Active Accounts

Login Spoof Attempts

Avg Time to Provision

Number of Privileged User Accounts

Number of VPN Connections per Week

User Account Growth Rate

% Systems Patched {OS; Platform use}

% Bandwidth Change

Number of Viruses

Avg Time to Recover

Avg Vulns per Host

Number of Applications

Number of Ports Open

Number of Servers

Number of Desktops

% of Systems with AV Installed {turned on;
up-to-date}

Number of Exploitable Vulns

% of Security-related Defects

Avg Time to Find Vulns

Incidents per Month

I am not a fan of some of these metrics, but they are interesting nonetheless. I hope to find time to analyze them further in the future.


1 comment for “A Few “Favorite” Security Metrics – RSA 2009 Edition

  1. May 24, 2009 at 10:48 am

    For some of these, I wouldn’t even know if the metric was measuring badness or goodness.

    One additional possibility:

    “% of pingable systems that have been identified and assigned an owner.”

Comments are closed.