Security Metrics Overview

Metrics is a term used to denote a measure based on a reference and involves at least two points, the measure and the reference. Security in its most basic meaning is the protection from or absence of danger. Literally, security metrics should tell us about the state or degree of safety relative to a reference point and what to do to avoid danger. Contemporary security metrics by and large fail to do so. They tell us little about the actual degree of “safety” of our systems or processes, much less about the organization as a whole. They say little about the appropriate course of action, and they are typically not specific to the needs of the recipient.