Metric Library¶
The Cyber Metric Library is a list of security metrics that can be used as a baseline for any executive reporting platform. The list is not exhaustive, and is focussed primarily on technical controls that can be measured easily with available tooling.
How to use this guide¶
Types of Metrics¶
A measure that tracks the implementation of actions, processes, or technologies designed to reduce or mitigate risks within the organization.
A measure that provides visibility into existing or potential risks within the organization, helping to assess areas of vulnerability.
A measure that evaluates the efficiency and speed with which a team is executing and delivering on control implementations and operational tasks.
Framework references¶
The following frameworks are used in the mapping of metrics
List of Metrics¶
Systems with an up-to-date agent deployed¶
Description
The percentage of systems with up-to-date vulnerability management agents deployed, providing critical visibility into security gaps and enabling swift action to protect the organization from exploitable weaknesses.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
CIS 8.1 | 7.5 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
CIS 8.1 | 7.6 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Systems without exploitable patchable vulnerabilities¶
Description
The percentage of systems within the organization that are free of known exploitable vulnerabilities with available patches, highlighting the organization's ability to reduce risk through timely patch management and ensuring a secure operational environment.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
CIS 8.1 | 7.3 | Continuous Vulnerability Management | Perform Automated Operating System Patch Management |
CIS 8.1 | 7.4 | Continuous Vulnerability Management | Perform Automated Application Patch Management |
NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Systems without exploitable patchable vulnerabilities remediated within SLO¶
Description
The percentage of systems that have resolved exploitable, patchable vulnerabilities within the agreed Service Level Objective (SLO), providing critical insight into the organization's ability to minimize exposure to known threats and reduce the attack surface effectively.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
CIS 8.1 | 7.7 | Continuous Vulnerability Management | Remediate Detected Vulnerabilities |
NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Regular Password Rotation¶
Description
Regular password rotation ensures that credentials are periodically updated, reducing the risk of unauthorized access from compromised or stale passwords, which is critical to maintaining the security of your organization's systems and data.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.5 | 8 Technological controls | Secure authentication |
NIST CSF v2.0 | PR.AA-02 | Identity Management, Authentication, and Access Control (PR.AA) | PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions |
Accounts without Admin privileges¶
Description
The percentage of user accounts configured without administrative rights, which is critical for reducing the attack surface, limiting the potential impact of compromised credentials, and aligning with least-privilege security principles to protect organizational systems and data.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.2 | 8 Technological controls | Privileged access rights |
CIS 8.1 | 5.4 | Account Management | Restrict Administrator Privileges to Dedicated Administrator Accounts |
NIST CSF v2.0 | PR.AA-05 | Identity Management, Authentication, and Access Control (PR.AA) | PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties |
Accounts in use¶
Description
Dormant Identities tracks the number of unused or inactive accounts within the organization, providing critical insight into potential security risks as dormant accounts are prime targets for unauthorized access and exploitation, making their identification and timely deactivation essential for reducing the attack surface and maintaining robust access controls.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.5.16 | 5 Organizational controls | Identity management |
CIS 8.1 | 5.3 | Account Management | Disable Dormant Accounts |
NIST CSF v2.0 | PR.AA-01 | Identity Management, Authentication, and Access Control (PR.AA) | PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization |
Identities with MFA¶
Description
The percentage of user accounts secured with multi-factor authentication, a critical metric that quantifies the effectiveness of identity protection by reducing the risk of unauthorized access and safeguarding sensitive assets, making it vital for minimizing the impact of credential-based attacks.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.5.17 | 5 Organizational controls | Authentication information |
CIS 8.1 | 6.3 | Access Control Management | Require MFA for Externally-Exposed Applications |
CIS 8.1 | 6.4 | Access Control Management | Require MFA for Remote Network Access |
CIS 8.1 | 6.5 | Access Control Management | Require MFA for Administrative Access |
NIST CSF v2.0 | PR.AA-03 | Identity Management, Authentication, and Access Control (PR.AA) | PR.AA-03: Users, services, and hardware are authenticated |
External endpoints protected by a WAF¶
Description
The "Network Application Firewall: External Endpoints Protected by a WAF" metric measures the proportion of external-facing endpoints shielded by a Web Application Firewall (WAF), highlighting an organization's ability to prevent unauthorized access, mitigate threats like SQL injection and cross-site scripting, and safeguard critical systems from cyberattacks, making it a key indicator of external-facing application security.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.20 | 8 Technological controls | Networks security |
CIS 8.1 | 13.3 | Network Monitoring and Defense | Deploy a Network Intrusion Detection Solution |
NIST CSF v2.0 | PR.IR-01 | Technology Infrastructure Resilience (PR.IR) | PR.IR-01: Networks and environments are protected from unauthorized logical access and usage |
External endpoints with insecure ports exposed¶
Description
The "Insecure Ports" metric tracks external endpoints with open ports that are improperly configured or vulnerable, highlighting potential entry points for cyberattacks, which is critical for reducing the organization's exposure to exploitation and ensuring the security of its network infrastructure.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.20 | 8 Technological controls | Networks security |
CIS 8.1 | 12.2 | Network Infrastructure Management | Establish and Maintain a Secure Network Architecture |
NIST CSF v2.0 | PR.DS-02 | Data Security (PR.DS) | PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected |
Repositories without exploitable vulnerabilities¶
Description
The percentage of code repositories free from known security flaws, ensuring that development efforts prioritize secure coding practices, reduce the risk of breaches, and maintain the integrity of the software development lifecycle. This metric is important as it directly impacts the organization's ability to deliver secure products and protect against potential cyber threats.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.25 | 8 Technological controls | Secure development life cycle |
CIS 8.1 | 16.12 | Application Software Security | Implement Code-Level Security Checks |
NIST CSF v2.0 | PR.PS-06 | Platform Security (PR.PS) | PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle |
Repositories without exploitable vulnerabilities remediated within SLO¶
Description
The percentage of code repositories in the development pipeline that have resolved critical security vulnerabilities within the established service level objective (SLO), ensuring that potential threats are mitigated in a timely manner to reduce exposure to security risks and maintain compliance with security standards.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.25 | 8 Technological controls | Secure development life cycle |
CIS 8.1 | 16.12 | Application Software Security | Implement Code-Level Security Checks |
NIST CSF v2.0 | PR.PS-06 | Platform Security (PR.PS) | PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle |
Repositories with SAST / DAST scanning enabled¶
Description
The percentage of code repositories with Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) scanning enabled, ensuring early detection of vulnerabilities during development and reducing the risk of security breaches before code is deployed.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.25 | 8 Technological controls | Secure development life cycle |
CIS 8.1 | 16.12 | Application Software Security | Implement Code-Level Security Checks |
NIST CSF v2.0 | PR.PS-06 | Platform Security (PR.PS) | PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle |
Systems with backups configured per their SLO¶
Description
The percentage of systems with backups configured in accordance with their Service Level Objectives (SLO), ensuring critical data can be restored in the event of a failure, which is essential for maintaining business continuity and mitigating the impact of data loss.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.13 | 8 Technological controls | Information backup |
CIS 8.1 | 11.2 | Data Recovery | Perform Automated Backups |
NIST CSF v2.0 | PR.DS-11 | Data Security (PR.DS) | PR.DS-11: Backups of data are created, protected, maintained, and tested |
Systems that has had a successful backup per their SLO¶
Description
The percentage of systems that successfully complete backups within their defined Service Level Objectives (SLO), ensuring data integrity and availability, which is critical for minimizing downtime, protecting against data loss, and maintaining business continuity in the event of an incident.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.13 | 8 Technological controls | Information backup |
CIS 8.1 | 11.2 | Data Recovery | Perform Automated Backups |
NIST CSF v2.0 | PR.DS-11 | Data Security (PR.DS) | PR.DS-11: Backups of data are created, protected, maintained, and tested |
Systems with their volumes encrypted¶
Description
The percentage of systems with their volumes fully encrypted, ensuring that sensitive data is protected from unauthorized access in the event of a device loss or breach, which is crucial for safeguarding company assets and complying with data protection regulations.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.24 | 8 Technological controls | Use of cryptography |
CIS 8.1 | 3.11 | Data Protection | Encrypt Sensitive Data at Rest |
NIST CSF v2.0 | PR.DS-01 | Data Security (PR.DS) | PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected |
Systems with an up-to-date agent deployed¶
Description
The percentage of systems with an up-to-date malware detection agent deployed, ensuring the organizationâs defenses are robust against the latest threats, and is critical for minimizing vulnerability to malware attacks.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.8.7 | 8 Technological controls | Protection against malware |
CIS 8.1 | 10.1 | Malware Defenses | Deploy and Maintain Anti-Malware Software |
NIST CSF v2.0 | PR.PS-05 | Platform Security (PR.PS) | PR.PS-05: Installation and execution of unauthorized software are prevented |
Users completed awareness training in the last 12 months¶
Description
The percentage of users who have completed security awareness training in the last 12 months, ensuring that employees are equipped with the latest knowledge to identify and mitigate cyber threats, which is critical for reducing organizational vulnerabilities and enhancing overall security posture.
References¶
Framework | Ref | Domain | Control |
---|---|---|---|
ISO 27001:2022 | A.6.3 | 6 People controls | Information security awareness, education and training |
CIS 8.1 | 14.2 | Security Awareness and Skills Training | Train Workforce Members to Recognize Social Engineering Attacks |
CIS 8.1 | 14.3 | Security Awareness and Skills Training | Train Workforce Members on Authentication Best Practices |
CIS 8.1 | 14.4 | Security Awareness and Skills Training | Train Workforce on Data Handling Best Practices |
CIS 8.1 | 14.5 | Security Awareness and Skills Training | Train Workforce Members on Causes of Unintentional Data Exposure |
CIS 8.1 | 14.6 | Security Awareness and Skills Training | Train Workforce Members on Recognizing and Reporting Security Incidents |
CIS 8.1 | 14.7 | Security Awareness and Skills Training | Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates |
CIS 8.1 | 14.8 | Security Awareness and Skills Training | Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks |
NIST CSF v2.0 | PR.AT-01 | Awareness and Training (PR.AT) | PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind |