Skip to content

Cyber Metrics

A curated library of actionable security metrics to power your executive reporting.

The Cyber Metric Library provides a curated list of measurable security indicators. It’s designed to simplify executive reporting and highlight the maturity of your security controls. This list focuses on technical metrics that are easy to track using commonly available tools.

How to use this guide

Types of Metrics

KxI Description Example
control A measure that tracks the implementation of actions, processes, or technologies designed to reduce or mitigate risks within the organization. % of systems with MFA enforced
risk A measure that provides visibility into existing or potential risks within the organization, helping to assess areas of vulnerability. % of endpoints with critical vulnerabilities
performance A measure that evaluates the efficiency and speed with which a team is executing and delivering on control implementations and operational tasks. Time to deploy security patches

Framework references

The following frameworks are used in the mapping of metrics

Contribute

Looking to contribute new metrics? Submit a new metric request

Asset Management

Metric Type
Assets known to Asset Management control

Data Protection

Metric Type
Systems with their volumes encrypted risk

Disaster Recovery

Metric Type
Systems with backups configured per their SLO control
Systems that has had a successful backup per their SLO performance

Identity Management

Metric Type
Identities with MFA risk
Identity - Credentials - Regular Password Rotation control
Identity - Inactive Identities control
Accounts without Admin privileges risk

Malware Protection

Metric Type
Systems with an up-to-date agent deployed control

Network Security

Metric Type
Network Security - DNS Domains Expiring Within the Next Month risk
Network Security - DNS Domains with SPF configured risk
Network Security - DNS Domains with DMARC Configured risk
Network Security - External endpoints with insecure ports exposed risk
Network Security - External endpoints protected by a WAF control

Software Development

Metric Type
SDLC - Repositories with SAST / DAST scanning enabled control
SDLC - Repositories without exploitable vulnerabilities risk
SDLC - Repositories without exploitable vulnerabilities remediated within SLO performance

User Security

Metric Type
Users completed awareness training in the last 12 months control

Vulnerability Management

Metric Type
Systems with an up-to-date agent deployed control
Systems with an up-to-date vulnerability database deployed control
End-of-life - Systems running vendor-supported software risk
Vulnerabilities not remediated within SLO - critical and high performance
Vulnerabilities not remediated within SLO - exploitable performance
Vulnerabilities not remediated within SLO - exploitable patchable performance
Vulnerabilities not remediated within SLO - exploitable patchable critical and high performance
Vulnerabilities not remediated within SLO - patchable performance
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities in 48 hours - exploitable or critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - exploitable and patchable critical and high risk
Systems without vulnerabilities - non critical patched in 2 weeks risk
Systems without vulnerabilities - non critical patched in a month risk
Systems without vulnerabilities - exploitable and patchable critical and high risk