Skip to main content
Security Scorecard

5 Mistakes to Avoid When Selecting Information Security Metrics

Posted on March 18th, 2020

Information security metrics perform two important tasks. They allow your security team to understand your organization’s evolving security posture. They also allow you to explain your security posture to your organization's leaders.

That may seem simple enough, but knowing which metrics to monitor can be tricky. While some KPIs tell you a meaningful story about your company’s cybersecurity, others are meaningless. They might be vanity metrics that make your team look good in front of the c-suite. They might be KPIs that you found on a must-have list somewhere, but which don’t really apply to your specific situation. You might be tracking way too many metrics.

At best, these metrics clutter up your dashboards and confuse your leadership. At worst, bad metrics can give you a sense of false confidence when it comes to your cybersecurity, opening you up to attacks that you don’t even see coming. And that can cost you. According to Ponemon’s Cost of a Data Breach report, the average cost of a data breach is $3.92 million.

Common security metric mistakes

The key is to choose the right metrics for your organization — but that’s not easy. Below are five common mistakes organizations make when choosing cybersecurity KPIs, and some strategies that will help you avoid these common pitfalls.

  1. Using irrelevant data. Are you reporting the number of times you were attacked last month? Gartner calls this metric “completely worthless.” Why? Because even if the number is high, the number doesn’t tell you — or your leadership — much. McKinsey points out that most of these attacks come from unskilled hackers, and don’t represent much of a real threat at all. Other metrics that don’t tell you much are the “number of unpatched vulnerabilities” (if you report that you’re patching your vulnerabilities, you’re just reporting that you’re doing your job, says McKinsey.) Instead, use metrics that reflect the business goals of your organization — the time it takes to patch specific critical systems, for example — that will be more understandable to leadership.
  2. Focusing on reactive metrics. It’s important to know what has happened, but in cybersecurity, you want to make sure you’re also focusing on what can happen. This is why lagging metrics — such as the number of known security violations — can be a problem. Lagging metrics report results, but don’t predict future breaches. Leading metrics, however, are predictors. What’s a leading metric? A security rating is a leading metric because it tells you how likely it is that a third party will suffer a breach.
  3. Using too many metrics. More numbers don’t mean better numbers. In fact, it’s often the opposite. By trying to track too many numbers, you can lose sight of the big picture. Instead, choose a handful of metrics that are meaningful to your security organization and to your company’s business goals. By focusing on a few important numbers, you’ll paint a clearer picture of your organization’s cyber health than you could with a long list of metrics.
  4. Using complicated metrics. Security metrics that require complex calculations may have their uses, but they’re unlikely to help you understand security at a glance, and your leadership is unlikely to understand those KPIs at all. In fact, complicated metrics can distract your leadership from the report you’re trying to give. “If your audience is not familiar with how you get to the number(s) you're presenting, you may find yourself defending the methodology and calculation more than you actually get to discuss the security metric itself, its meaning, and the action that you recommend as a result,” Caroline Wong, chief strategy officer at, told Dark Reading. Instead, avoid wasting your board’s time by using simpler, more relevant metrics.
  5. Focusing on your cybersecurity organization rather than the whole enterprise. In the news industry, there’s a saying: “Don’t be the story.” This is also true of cybersecurity — choosing metrics that focus on the actions of the security team ignores the fact that cyberhealth is the job of the entire enterprise. For example, it may be important to know how quickly critical systems are patched, but you should also know about cyber hygiene training for non-technical staff, and the security posture of third parties. In other words, choose metrics that measure the resilience of your whole enterprise.

How SecurityScorecard can help

SecurityScorecard’s Ratings offer a simple, easy-to track metric that allows you and your organization’s leadership users to understand the cyberhealth of your extended enterprise at a glance.

Our security ratings use an easy-to-understand A-F scale across 10 groups of risk factors with 87+ signals so you can see, at a glance, where your security problems are and what actions you should take when any issues are discovered. Our platform alerts you to problems as soon as they appear, and automatically generates a recommended action plan when any issues are discovered so you can stay proactive and prevent breaches before they happen.

Return to Blog
Join us in making the world a safer place.