In my post on Measuring and Reporting on Vulnerability Risk, I talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time.
It’s tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isn’t an accurate a representation overall progress.
These kinds of operational metrics, such as vulnerability counts, are attractive as a means of measuring progress, or more importantly for communicating progress, because they’re intuitive; If we focus on patching vulnerabilities, then the vulnerability count should go down.
SOURCE: tripwire.com
