Security Metrics are essential for quantitative measurement of any security program. Below, we’ve listed some security metrics (in no particular order) which can be used to measure the performance of your Vulnerability Management (VM) program. For demonstrating performance improvements, you can create dashboards / graphs which can show trends over time for some of these metrics. Consider using Vulnerability Management Platforms or GRC Solutions to help automate collection and reporting of some of these metrics.
Mean Time to Detect
Measures how long it takes before known vulnerabilities get detected, across the organization. If a Heartbleed 2 or EternalBlue 2 were discovered today, how long will it take to identify all the impacted systems across the organization?
Mean Time to Resolve
The mean time interval taken to remediate / patch vulnerabilities after identification by the Vulnerability Assessment (VA) tool. (i.e. post detection)
Average Window of Exposure
The time when a vulnerability was first publicly known to the time the impacted systems gets patched.
This measures the ratio of known assets (e.g.: from Asset Management solution) to those which actually get scanned. Can be split by Internal Assets & External assets.
Scan Frequency by Asset Group
How frequently are the assets scanned based on different groupings (e.g.: Internal Assets, BU Assets, Impacting Compliance like PCI etc.)
( Do More : Check out the top technologies in Vulnerability Assessment Domain )
Number of Open Critical / High Vulnerabilities
Based on Risk based Prioritization of vulnerability, considering a number of factors (e.g.: CVSS, Asset Criticality, Exploit Availability, Asset Accessibility (Internet vs Intranet), Asset Owner etc.)
Average Risk by BU / Asset Group etc.
Based on Risk based Prioritization of vulnerabilities (outlined above), the average risk exposure can be calculated based on different groupings.
Number of Exceptions Granted
This metrics tracks the vulnerabilities which have not been remediated because of various reasons. You may set rules in your scanner to overlook such vulnerabilities but you have to track them for auditing and/or future actions as they may still impact your risk posture.
Vulnerability Reopen Rate
This measures the effectiveness of the remediation process. A high rate means that the patching process is flawed
% of Systems with no open High / Critical Vulnerability
What % of systems are fully patched and have no high severity vulnerability present. Can be reported by asset groups.
Do let me know if you want us to add or modify any of the listed metrics. Check out the Vulnerability Assessment market within FireCompass to get more information on these markets.