This directory contains tips & tricks for (cyber) security teams to effectively demonstrate value of their security efforts.
There's a Dutch saying called 'Meten is weten'. It basically implies if you measure something, you are able to understand it better. Sounds easy right? It's not.
Folks find it really difficult to actually come up with something tangible.
This was the main reason for me to publish any relevant content I produced or found online. This way, we can all leverage this content effectively.
Content index:
Since May 2019 I started curating a cyber threat intelligence metrics overview. Initially it was just a collection, inspired by a talk by @MarSChauvin & @t_gidwani on CTI metrics. A long list. It wasn't very useful. Some clients are more mature, some had more effect on certain audiences and some had more impact with stakeholders than others. Tweaking the overview based on these findings, client feedback & aligning it with (cyber threat intelligence) maturity models, it turned into something very practical giving teams a one-page sense-of-direction.
Cyber Threat Intelligence metrics have not changed that much over the years. How we combine them together to tell a story did. Ration if you will. How this impacts your organization in practice is something you have to understand within the context of your own organization. A key adjustment based over time related to teams reporting on effectiveness and trends versus pure, factual, numbers.
Per April 2022, after building measurements for a clients vulnerability management program, I created a separate file. Please note that this one is not actively maintained as the Cyber Threat Intelligence one.
Per February 2024 I started populating the repository with generic metrics, after increased interest from a wider audience looking to demonstrate value for their entire cyber security program.
I believe metrics are a means to an end. If you didn't have it clear in the first place what you will do with the output, then first fix that before diving into cool dashboards or number porn. Start with the basics first (yes, I know). Mature metrics are correlated with business goals, outcomes and enablement. You measure on performance & effectiveness. The most valuable is measuring effectiveness, the least valuable is performance.
Target audience division used when concerned about metrics:
- Strategic; Executive teams, C-level, CISO, business reps
- Tactical ; SOC managers, Information security officers, business reps
- Operational; Security analysts, CTI analysis, Incident responders, business reps
Please note that in business practices, you sometimes see tactical & operational being used interchangeably.
When talking about cyber threat intelligence metrics:
- Measurement is only possible by clear alignment with audience & stakeholder(s); understanding what they need and define PIRs (Priority intelligence requirement) accordingly. PIRs guide improvement of metrics, and supporting technology required. This also dictates the reporting format.
- When organizations reach intermediate phase, KPIs (or KCI's) generally continuously become reviewed, refined and defined. In essence is this done by (re)defining PIRs for each stage of the clients specific intelligence cycle and governing it through an dedicated intelligence program.
- Higher vs lesser value is based on stakeholder & community feedback, qualitative review of existing metrics and quantitative tracking through a maturity model: https://www.crest-approved.org/buying-building-cyber-services/cyber-threat-intelligence-maturity-assessment-tools/.
Would you like to explore a more comprehensive view onhow cyber threat intelligence metrics relate to an overall capability? Visit this mindmap: https://github.com/Errum/IntelArchitectureMap