CIS Consensus Information Security Metrics

Organizations struggle to make cost-effective security investment decisions; information security professionals lack widely accepted and unambiguous metrics for decision support. CIS established a consensus group of industry experts to address this need. The results is:

  • A set of Consensus Security Metrics and data set definitions that can be used across organizations to collect and analyze data on security process and performance outcomes

Initial Scope

Key criteria were established for the initial set of consensus metrics. They were to develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring:

  1. The frequency and severity of security incidents;
  2. Incident recovery performance, and;
  3. Use of security practices generally regarded as effective.

Developing metrics that utilize data commonly available in most enterprises was recognized as a practical consideration.

Security Metrics Consensus Team Progress

A team of more than 100 government, private, and academic experts worked to reach consensus on a small initial set of security outcome and practice metrics. They represent outcome and practice areas of security regarded by the consensus group as important.

Currently, the consensus group has developed metrics covering the following business functions:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instances

Metrics Schema

A security metrics schema has been developed that will serve as a structure as a consistent structure for the definition of each metric so that terms, definitions, and computational aspects are unambiguous.

Future Benefits of the Planned CIS Information Security Metrics Service

Once a significant volume of outcome metrics data is available, a number of important purposes will be served:

  1. The ability for enterprises to compare their outcomes against the distribution curves derived from data populated by other entities, thus creating an intrinsic improvement mechanism by invoking the desire to remain competitive and innovative.
  2. The understanding of practical benefits and effectiveness of best practices such as monitoring information flows, risk assessment models, patching, configuration, and maturity models, as they affect the reduction of the frequency and impact of security incidents. In that respect, business outcome metrics will serve as the learning and feedback loop that is currently missing from these practices.
  3. The provision of a rational basis for formulating information security strategy, analyzing its implementation, and making cost-effective security investments.

For More Information

If you are interested in actively participating as a member of the virtual, CIS Security Consensus Metrics Team or have questions, please contact  CIS.