В отчете "The State of Risk-Based Security 2013 " нашел интересную информацию: метрики, которые чаще всего используют специалисты по ИБ в USA и UK (рассортированы по частоте использования). Вот они:
Reduction in the cost of security management activities
Length of time to implement security patches
Spending level relative to total budget
Percentage of endpoints free of malware and viruses
Number of end users receiving appropriate training
Reduction in unplanned system downtime
Reduction in number of access and authentication violations
Reduction in the total cost of ownership (TCO)
Return on security technology investments (ROI)
Reduction in number of known vulnerabilities
Reduction in number of data breach incidents
Reduction in number of percentage of policy violations
Reduction in audit findings and repeat findings
Number of security personnel achieving certification
Number of records or files detected as compliance infractions
Percentage of software applications tested
Reduction in the frequency of denial of service attacks
Reduction in regulatory actions and lawsuits
Reduction in expired certificates (including SSL and SSH keys)
Mean time to detect security incidents
Reduction in the number of threats
Reduction in the cost of cyber crime remediation
Percentage of recurring incidents
Percentage of incidents detected by automated control
Performance of users on security training retention tests
Time to contain data breaches and security exploits
Reduction in the number or percentage of end user enforcement actions
Reduction in loss of data-bearing devices (laptops, tablets, smartphones)
