Cyber Security metrics: How to establish?

By March 19, 2021 No Comments

*Mileny Ferreira


The difficulties faced by organizations with regard to the treatment and prevention of security threats are great and require caution. For this purpose, numerous recommendations are punctuated to analyze and establish information security in the systems.

The idea of quantification applied to information security encompasses both the development of security metrics as well as risk assessment, measurement models and studies on economic impacts.

After all, what are metrics?

Metric is a way used to represent a measure based on a reference, just as information security, in its simplest meaning, can be represented by protection against threats or the absence of threats. Metrics should portray the level of security and contribute to decision making when it comes to addressing or avoiding threats.

Thus, the presentation of the results makes it possible to identify technical, operational and management controls, in order to assess the effectiveness of the controls that are being carried out and provide an overview of the failures and security problems within the organization. System owners and even managers can isolate problems, and use the data to support investment requests in the area.

How to carry out an effective monitoring of KPIs?

To assess and improve the level of information protection, it is advisable for the company to invest in the procedure of calculating and analyzing security metrics. Generally, the organization has tools for: encryption, firewalls, VPN, intrusion detection systems, among others. But just implementing these solutions will not guarantee the level of security. For this reason, it is necessary to generate relevant cybersecurity metrics capable of meeting the needs and particularities of the organization. And in order for them to be efficient, there are some basic criteria that can be followed as guidelines: These must be accurate so that there is data integrity, profitable so as not to require a lot of maintenance and there is not much cost, timeable to show changes over time , because an effective indicator must be collected and grouped by several time intervals to present variations and patterns, and finally, the metrics must be simple, they must not be excessively complicated to measure, so that the objective is clear.

Metrics examples

Thinking about primary information security objectives in an organization that is the protection of information against unauthorized users, some of the most suitable metrics to be followed are:

  • Average detection time: Shows how long it takes to detect a security event;
  • Asset risks: Checks which assets have the greatest impact, enhancing the effectiveness of time and financial resources, and contributing to asset risk management;
  • Average repair time: How long does your company take to fix security flaws;
  • Security vulnerabilities: Access points for potential threats;
  • Attack detection: Methods used to identify attacks.

These are just a few examples of metrics used to improve performance rates. information security. Remember, the best choice of KPIs for your organization, you should consider the specifics of your business.

* Mileny Ferreira is GRC and Information Security Consultant at [SAFEWAY]



SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions.