Key Performance Indicators for Vulnerability Management
For a better assessment and measurement of processes
Key Performance Indicators (KPIs) are metrics used to measure and evaluate the performance of a process. They are tied to business goals and help us to assess whether a process is meeting its goals and objectives and identify areas for improvement.
In Vulnerability Management, Our Main Goals Are To
- Identify vulnerabilities
- Remediate vulnerabilities swiftly to keep our attack surface to a minimum
To measure how well we're meeting those goals, we can consult several KPIs. These may include:
Combining vulnerability data with asset inventory information allows us to monitor that our vulnerability management program covers all our assets or helps identify what we need to add. This KPI is vital for every vulnerability management program, as we wouldn't be able to detect or remediate any vulnerabilities if an asset is not in scope for vulnerability scanning.
Remediation tasks closed
This KPI measures the number of vulnerabilities that have been successfully mitigated or fixed within a given time frame. A higher number can indicate that we are effectively managing our exposures.
Remediation progress over time
By tracking the number and status of remediation tasks over time, it will be transparent how many tasks are new, in progress, and successfully closed relative to all available remediation tasks. This metric helps us understand whether our vulnerability management efforts are improving, deteriorating, or remaining at a steady pace.
Remediation policy compliance
The remediation policy contains our company's time objectives regarding how long it should take us at maximum to remediate vulnerabilities. The compliance KPI measures how many remediation tasks are passed the policy target and are managed insufficiently. A high score indicates ineffective management. Combined with planned target dates per remediation task, it can also mean deliberate delays (e.g., due to project dependencies) or lack of process diligence.
Time to remediate
This KPI measures how long it takes us to remediate vulnerabilities. A shorter time to remediate can indicate that the organization has a more effective vulnerability management process.
Remediation tasks by status over time
Ideally, remediation tasks quickly change their status from 'new' to 'in progress' and eventually 'closed' to demonstrate steady progress. By measuring these numbers, an overall trend of process diligence will become transparent.
Percentage of high-risk vulnerabilities
This KPI measures the rate of high-risk vulnerabilities. A lower percentage can indicate that the organization is effectively prioritizing and addressing its most critical vulnerabilities.
Looking at multiple KPIs in combination can provide a more comprehensive understanding of the performance of a process than just one aspect by itself. For example, let's only look at the number of high-risk remediation tasks without considering scan coverage. We might conclude that we are effectively managing remediation tasks, while in reality, more and more assets are not included in the program. Similarly, looking at remediation tasks closed without taking the time to remediation into account could look like we are making steady progress when the task turnover is slowing down.
Several snapshot KPIs help assess the status quo and inform what to focus on next.
Snapshot KPIs can also shed further light on information provided by trend-based KPIs. For instance, when looking at the meantime to remediate and realizing that the meantime is increasing, we should consult the individual topics statistics to see whether we have more complex remediation tasks that require more effort and, as a result, take longer to be remediated.
The value of KPIs lies in their ability to help us make data-driven decisions. By measuring and tracking specific metrics, we can identify areas of success and potential for improvement, for instance, due to a lack of automation or resource deficiencies. Based on KPIs, we can make more informed decisions about allocating resources and making changes to improve process performance. KPIs are also important for communication and reporting, as they provide a transparent view for stakeholders and upper management.
In general, by monitoring these and other KPIs, organizations can identify trends and patterns in their vulnerability management program and make necessary changes to improve its effectiveness. After all, the more effective our vulnerability management program is, the less likely an exploit and the better resources are utilized.
Christina Finck is an Information Security Consultant and the Product Manager of Arvato System’s vulnerability management platform VAREDY.