The study examined the key risk-based security metrics IT security managers used most frequently to gauge the effectiveness of their organizations’ overall security efforts.
Top Metrics included: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training, and reduction in unplanned system downtime.
The survey respondents included 749 US and 571 UK professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
In the compliance arena, leading metrics included mean time-to-patch (49 percent), policy violations (33 percent), and reduction in audit findings and repeat findings (27 percent).
The study also found that only 19 percent of respondents viewed the number of records or files detected as compliance infractions, and only 16 percent identified reduction in expired certificates — including SSL and SSH keys — as an effective metric.