Skip to content

Cyber Metrics

The Cyber Metric Library is a list of security metrics that can be used as a baseline for any executive reporting platform. The list is not exhaustive, and is focussed primarily on technical controls that can be measured easily with available tooling.

How to use this guide

Types of Metrics

  • control A measure that tracks the implementation of actions, processes, or technologies designed to reduce or mitigate risks within the organization.
  • risk A measure that provides visibility into existing or potential risks within the organization, helping to assess areas of vulnerability.
  • performance A measure that evaluates the efficiency and speed with which a team is executing and delivering on control implementations and operational tasks.

Framework references

The following frameworks are used in the mapping of metrics

Asset Management

Metric Type
Assets known to Asset Management control

Data Protection

Metric Type
Systems with their volumes encrypted risk

Disaster Recovery

Metric Type
Systems with backups configured per their SLO control
Systems that has had a successful backup per their SLO performance

Identity Management

Metric Type
Identities with MFA risk
Identity - Credentials - Regular Password Rotation control
Identity - Inactive Identities control
Accounts without Admin privileges risk

Malware Protection

Metric Type
Systems with an up-to-date agent deployed control

Network Security

Metric Type
Network Security - DNS Domains Expiring Within the Next Month risk
Network Security - DNS Domains with SPF configured risk
Network Security - DNS Domains with DMARC Configured risk
Network Security - External endpoints with insecure ports exposed risk
Network Security - External endpoints protected by a WAF control

Software Development

Metric Type
SDLC - Repositories with SAST / DAST scanning enabled control
SDLC - Repositories without exploitable vulnerabilities risk
SDLC - Repositories without exploitable vulnerabilities remediated within SLO performance

User Security

Metric Type
Users completed awareness training in the last 12 months control

Vulnerability Management

Metric Type
Systems with an up-to-date agent deployed control
Systems with an up-to-date vulnerability database deployed control
End-of-life - Systems running vendor-supported software risk
Vulnerabilities not remediated within SLO - critical and high performance
Vulnerabilities not remediated within SLO - exploitable performance
Vulnerabilities not remediated within SLO - exploitable patchable performance
Vulnerabilities not remediated within SLO - exploitable patchable critical and high performance
Vulnerabilities not remediated within SLO - patchable performance
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities in 48 hours - exploitable or critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - non critical patched in 2 weeks risk
Systems without vulnerabilities - non critical patched in a month risk
Systems without vulnerabilities - exploitable and patchable critical and high risk