Cybersecurity Metrics: The Good, the Bad and the Ugly

Adrian Davis


The management saying “What gets measured gets managed”, attributed to the great physicist Lord Kelvin, is just as applicable to information security as it is to marketing, finance or operations. However, information security has increasingly found that the measurements it can collect and present are not necessarily relevant to the business, the board and the wider non-information security community.

This chapter will examine how metrics can be collected, used and presented to: assist information security to run its operations efficiently and effectively; communicate to varying audiences about what information security is doing and how it is supporting the business; and to provide information upon which decisions can be based and plans drawn up. Effort – and time – is still being expended in collecting, and then presenting to audiences, data and statistics that do not inform, describe the breadth of information security and its achievements, provide organisations with an understanding of the status information security and help answer the question, “Are we secure?”


Unfortunately, the term “metrics” has a number of meanings within

To continue reading...

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: