Tuesday, November 22, 2022

Vulnerability Management - KPIs and KRIs

KPIs and KRIs help you to understand, measure and improve your vulnerability management process and patch management process. They are also essential to create reports and for building a baseline in case you want to implement a SIEM or any kind of security monitoring.


As Vulnerability Management is also a part of a technical risk assessment, the right KRIs could support your security strategy by letting you know where your IT infrastructure is vulnerable, about failed measures or controls and what assets (values) should be protected.


1. Quantitative Indicators

Quantitative indicators are the most common and important types of KPI. They are easy to understand because they just represented by numbers.


  • Number of assets (e.g., Windows, Linux servers, workstations, applications, etc.)
  • Number of vulnerabilities per type (low, high, critical, exploitable)
  • Number of scanned IP addresses / networks
  • Number of internet facing assets, applications
  • Number of internal and external servers, applications
  • Number of scanned URLs


2.  Lagging Indicators

  • Results at the beginning of a time frame (found vulnerabilities at the beginning of scan)
  • Results at the end of a time period (e.g. remediated vulnerabilities at the end of week/month)
  • Historical data


3. Input Indicators

  • Time to resolve or remediate a vulnerability
  • Number of stuff needed to resolve the vulnerability or patch systems


4. Output Indicators

  • Number of vulnerabilities remediated (also by criticality, sytem type, etc.)


5. Leading Indicators

  • Trends such as increasing or decreasing number of found vulnerabilities
  • Trends in in the criticality of a vulnerability


6. Financial Indicators

  • Costs for specific measures to resolve a vulnerability or when a vulnerability caused an incident


7. Practical Indicators

  • You can also define practical indicators that are individual or specific to the organization.


Here are some examples of practical KPIs and KRIs.


Detection capability indicators:

  • Asset coverage: Scanned assets in comparison with the amount of assets in the scope
  • Number of undocumented assets found: Assets that are scanned but not yet documented in the asset inventory (also useful to find rogue devices)

 

Key Risk Indicators:

  • Number of open vulnerabilities: total number of applicable vulnerabilities that are not yet analyzed or have work in progress
  • Percentage of numbers of open vulnerabilities related to closed issues in a month
  • Status and the number of vulnerabilities per asset: status of the remediation progress
  • Overview of the remediation solution type: indicate the number of the remediation solution types (patch, config change, etc.)
  • Number of open vulnerabilities per business application
  • Number of open vulnerabilities per server or system (including middleware and software)

 

Operational indicators:

  • Time from detection to remediation per vulnerability
  • Remediation done in set timeframe
  • Number and reason of failed remediations
  • Time to deploy the remediation solution
  • Type of remediation solution

 

Process efficiency indicators:

  • Number of deployments within and outside of scheduled maintenance windows


Please refer the below link for more information:

https://cyberblend.net/blog/kpi-examples-for-vulnerability-and-patch-management/


Happy Learning !!

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Vulnerability Management - Understanding vulnerability posture

Understanding the vulnerability posture of an organisation at a basic level helps you drive remediation efforts. So, I don't know what t...