Cybersecurity Metrics Organizations Should Track to Ensure Investments Are Working

What Are Cybersecurity Metrics?

Metrics “can mean different things for different people, roles, departments and organizations,” says Randy Rose, vice president of security operations and intelligence at the Center for Internet Security (CIS). “At a high level, metrics are quantifiable and measurable data points that help tell the story of key objectives, such as effectiveness, efficiency or risk.” 
 
Cybersecurity metrics are “quantifiable data points that measure how well your security program is actually working,” says Aparna Achanta, principal security architect at IBM and a member of the ISACA Emerging Trends Working Group. 

The best way to think of metrics is as “vital signs for your organization’s digital health,” she says. “They translate activities like patching or user training into numeric values. Well-chosen metrics help leaders assess how effective controls are, spot trends and show improvement over time.” 

LEARN MORE: How to counter the most common cybersecurity threats.

Categories and Types of Cybersecurity Metrics

Cybersecurity metrics will vary by organization and how they have built their security strategy, according to Rose. He says a key best practice is to align metrics with a framework like the National Institute of Standards and Technology’s Cybersecurity Framework, CIS Controls or something similar that informs an organization’s security model. 

If NIST CSF is the model of choice, he says, then metrics would be aligned to the six core functions: identify, protect, detect, respond, recover and govern.

Metrics can be grouped by purpose and scope, Achanta says. Those include:

• Operational vs. strategic. Operational metrics “reflect day-to-day security tasks, such as time to apply patches or alerts handled per day,” she says. “Strategic metrics translate security performance into business impact or risk, such as estimated cost of a breach or ROI of security investments.”
• Technical vs. people vs. process. Technical metrics “measure systems and tools, such percent of devices with up-to-date anti-virus. People metrics cover user behavior like phishing-click rates or training completion. And process metrics track procedures such as audit pass rates, incident response times or policy compliance,” Achanta says.
• Leading vs. lagging. Leading (input) metrics “gauge preventive efforts; for example, percentage of endpoints fully patched or percent of staff who have taken security training. Lagging (outcome) metrics record results, such as the number of successful breaches or system downtime after an attack,” she says.
• Risk and vulnerability metrics. These metrics measure exposure through unpatched systems or misconfigured networks. 
• Compliance and governance metrics. These are used to prove an organization is meeting regulations, such as HIPAA, or state-specific requirements, Achanta says. 
• User behavior and awareness metrics. These metrics measure whether employees are clicking on phishing emails or following security policies, she says.  

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

Key Cybersecurity Metrics You Should Track 

There are several cybersecurity metrics that are important for IT leaders and their staff to keep track of, experts say. They include: 

Detection and Response Metrics

These are critical for minimizing overall risk and exposure for the organization, Rose says. “The faster an organization can identify, contain, and eradicate unauthorized activity, the better,” he notes.

“Detection and response metrics, such as mean time to resolution (MTTR), are some of the most important indicators of cybersecurity effectiveness because they show how quickly an organization can identify and contain a threat,” France says.

Vulnerability Management

Vulnerabilities represent the “holes or potential holes in the infrastructure that could allow an attacker to gain unauthorized access, so measuring and reporting on the efficiency in patching identified vulnerabilities can be an important step in reducing overall risk,” Rose notes. 

Such metrics track how well software flaws are discovered and fixed, Achanta says; for example, measuring the percentage of critical vulnerabilities patched or the average time to deploy patches. 

Threat Detection and Prevention

Threat detection and prevention metrics help organizations understand “how well their security controls are detecting and mitigating attacks before they turn into incidents that affect business continuity or safety, or have other impacts,” France says.

User and Training Metrics

User and training metrics focus on how well “employees understand and practice good cybersecurity habits, recognizing that people are often the first line of defense,” says France.

“Users are often considered the biggest weakness, but they’re more accurately described as the first line of defense,” Rose adds. “With malicious email being the primary entry vector for successful cyberattacks, keeping your staff well educated, trained up and aware of likely threats is among the best ways to reduce overall cyber risk.”

Access and Identity

To measure the effectiveness of controls tied to access and identity, it’s critical to know the 4 Ws of access management, Rose says. 

“Who is allowed to access what; when are they allowed to access it; and where can they access it from or send it to,” he says. “The focus is ensuring unauthorized access is disallowed, and people who are authorized are not unnecessarily restricted.” 

System Health and Coverage

System health and coverage metrics help organizations “understand whether security tools are deployed consistently and whether they are working as intended across the environment,” says France. 

These metrics are focused on “knowing which critical assets aren’t covered by security tools, revealing blind spots,” Achanta says. 

Additionally, these metrics are mostly focused on an organization’s ability to ensure security tools are functioning as intended, Rose says. “Regular monitoring and assessment of your security controls and tools, as well as gap analysis, is required to ensure you’re meeting the minimum standard you have set for yourself,” he says.  

Incident Management

Like detection and response metrics and vulnerability metrics, incident response measurements are primarily related to reducing risk.

“No matter how good an organization is at preventive controls, some incidents will inevitably occur,” Rose says. “Not all incidents or incident types are critical; that is determined by the organization. Metrics aligned in this area should be focused on driving efficiency in proper incident management aligned with the organization’s overall security strategy.”

DIVE DEEPER: The differences between phishing and other cyberattack methods.

Best Practices for Implementing Cybersecurity Metrics

When implementing cybersecurity metrics, IT leaders should focus on measures that “clearly tie back to organizational risk and mission priorities, not just what security tools can easily report,” France says.

The most useful metrics show trends over time and lead organizations to make more informed decisions, rather than serving as one-time snapshots. “They also should be tailored to different audiences and revisited regularly as threats, technology and business needs continue to change,” he says. 

Another best practice, Rose says, is to split metrics into things that are important to business leaders (also known as above-the-line metrics) and those that are important to the line-level leaders and administrators (below-the-line metrics).

“Above-the-line metrics focus on telling business leaders what they need to know, aligned to the mission or operational success of a business line, while not being concerned with the how or tactical level information that might be of interest to a technical leader,” Rose says. 

Achanta notes that IT leaders should “keep it simple and actionable” when it comes to metrics. “Your metrics need to make sense to nontechnical people,” she says. “If you can’t explain a metric without launching into technical jargon, it’s not the right metric for leadership reporting.”

She also argues for organizations to automate security metrics dashboards wherever possible, establish baselines and track trends, and prioritize what they can realistically fix. 

Industry-Specific Considerations for Cyber Metrics

While core metrics like MTTR and patch rates apply universally, organizations should also track metrics tailored to their specific industry risks and regulatory environments, experts say.

• Retail: For retailers, protecting customer payment data and ensuring uptime are paramount. Key metrics include adherence to the Payment Card Industry Data Security Standard (PCI DSS) and the mean time to detect tampering with point-of-sale devices. Additionally, e-commerce retailers should track site availability and transaction success rates during peak traffic periods to ensure security controls aren't impeding sales.
• Finance: Financial institutions should focus heavily on fraud detection and transaction integrity. Useful metrics include the speed of fraud detection (time-to-identify for anomalous transactions) and compliance with standards like PCI-DSS or the Sarbanes-Oxley Act.
• Manufacturing: For the manufacturing sector, where uptime equals revenue, metrics often focus on operational technology and industrial control systems. Leaders should track the percentage of OT assets visible in inventory and the frequency of security assessments on production line controllers, aligned with the NIST Manufacturing Profile.