Security metrics are quantitative measurements used to evaluate the effectiveness of a security program, track progress toward security goals, and communicate security posture to leadership. Good metrics are specific, measurable, and tied to business outcomes rather than just technical activity counts.
Useful metrics include mean time to detect (MTTD) and mean time to respond (MTTR) to incidents, percentage of systems with current patches, critical vulnerabilities open beyond remediation SLA, and phishing simulation click rates before and after training.
CISSP Relevance
Security metrics appear in Domain 1 (Security and Risk Management) and Domain 6 (Security Assessment and Testing). CISSP candidates must understand how to design meaningful metrics programs and how to present security data in terms executive audiences find meaningful.
External reference: NIST SP 800-55 Performance Measurement Guide for Information Security
Related terms: Security Audit, Governance