In my post on Measuring and Reporting on Vulnerability Risk, I talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time.
It’s tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isn’t an accurate a representation overall progress.
These kinds of operational metrics, such as vulnerability counts, are attractive as a means of measuring progress, or more importantly for communicating progress, because they’re intuitive; If we focus on patching vulnerabilities, then the vulnerability count should go down.
SOURCE: tripwire.com
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
