10 Cybersecurity Metrics You Should Be Monitoring

Effective management of varying performance indices in information security can mean the difference between a practical and efficient project and a complete waste of money. 

Although managers have been following KPIs for quite some time now, in information security, this is an uncommon and still developing practice to track cyber security metrics.

So, here are some suggestions for cybersecurity metrics that can and should be tracked to ensure the efficiency of your security projects. 

  1. Mean-Time-to-Detect and Mean-Time-to-Respond

Mean Time To Identify (MTTI) and Mean Time To Contain (MTTC) for US companies indicates that the Detect and Respond Phases are suffering. In fact, the MTTC in  2017 was 208 days and the MTTI was 52 days. At the same time, likelihood of incurring a mean breach cost of $2.25M is almost 28% over the next 24 months for U.S. companies. 

Poor performance in MTTI and MTTC is a huge contributor to breach costs. These should be your two most important KPIs when measuring information security. It's also a good KPI for CISOs to measure and show their Board for long-term improvement. Everyone on the security team should prioritize improving these two KPIs. 

  1. Number of systems with known vulnerabilities

Knowing the number of vulnerable assets in your environment is a key cybersecurity metric to determining the risk that your business incurs. Managing updates and patches is a complex process, but very important to avoid loopholes that can be exploited in your environment. A vulnerability scan that includes all the assets will indicate what needs to be done to improve the security posture of your company. A vulnerability management program not a nicety, but a necessity.

Measure Your Information Security Maturity Self-Assessment Survey

  1. Number of SSL certificates configured incorrectly

An SSL certificate is a small file that certifies the ownership of a cryptographic key to the website or company with which data is being exchanged, guaranteeing the authenticity of the transaction. Monitoring the security requirements for each certificate, as well as ensuring that they are properly configured on servers, prevents them from falling into the wrong hands and that your company's digital identity is not used to steal user information.

  1. Volume of data transferred using the corporate network

If your employees have unrestricted access to the internet through the corporate network, monitoring the volume of traffic allows you to identify misuse of company resources. When downloading software, videos, movies and applications a user can leave the door open for botnets and malware to invade their environments, even more, if the downloads are from websites known to be dangerous.

  1. Number of users with "super user" access level.

Best practices in information security management include full control of users' level of access to company resources, it is necessary for an employee to only access data, systems, and assets that are necessary to their work. Identifying the access levels of all network users allows you to adjust them as needed by blocking any super user or administrator that does not make sense.

  1. Number of days to deactivate former employee credentials

By monitoring these cybersecurity metrics, you can define whether the Human Resources and IT teams are working in tune. In an ideal scenario, the access of users terminated from the company should be canceled immediately. Keeping them active is a tremendous risk, as it leaks sensitive information and can lead to compromised devices.

  1. Number of communication ports open during a period of time

As a general rule, avoid allowing inbound traffic for NetBIOS (UDP 137 and 138, TCP 135-139 and 445). Be observant of outbound SSL (TCP 443): a session that stays active for a long time could be an SSL VPN tunnel that allows bi-directional traffic. Any common ports for protocols that allow remote sessions, like TCP 22 (SSH), TCP 23 (telnet), TCP 3389 (RDP), and TCP 20 and 21 (FTP) should be monitored for a length of time.

  1. Frequency of review of third party accesses

Often, IT managers grant access to third parties in their networks to complete a project or activity. It is important to monitor whether the access is canceled at the end of service provisioning. Failure to do so endangers your environment if the third party decides to come back and extract data or carry out other malicious activity – for instance, they may come under the employ of a competitor. Possibly worse, if the 3rd party’s network is breached, you could expose your network to the same threat.

  1. Frequency of access to critical enterprise systems by third parties

Creating a mapping of critical systems for the company and knowing the users that access them are imperative in the security context. Monitoring attempts to access servers or applications that should not be targeted by unauthorized users may indicate misconduct and intentions to compromise your environment.

  1. Percentage of business partners with effective cybersecurity policies

You must maintain strict control and monitor the cybersecurity metrics of the companies that provide services for your business. Giving access to your environments to this outsourced company can be a huge risk if it does not have effective policies for its safety in the first place. It is not too much to say that if your company invests in security but has third parties connected to your systems that do not, you have no security at all.

Oldair Barbosa is a consultant with CIPHER's Governance, Risk and Compliance team.

Measure Your Information Security Maturity Self-Assessment Survey

Did you enjoy this blog article? Share it with your peers or comment below.


Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Subscribe to Us!

Recent Security Posts


Twitter Feed