No consensus exists on what security metrics should be used for measuring security effectiveness. This page documents commentary on metrics definitions from external sources.
The Robert Frances Group recently reported in CSO magazine that the companies it surveyed used these metrics definitions:
|Viruses detected in user files||92.3%|
|Viruses detected in e-mail messages||92.3%|
|Invalid logins (failed password)||84.6%|
|Unauthorized website access (content filering)||69.2%|
|Invalid logins (failed username)||69.2%|
|Viruses detected on websites||61.5%|
|Unauthorized access attempts (internal)||61.5%|
|Admin violations (unauthorized changes)||61.5%|
|Unauthorized information disclosures||38.5%|
|Spam not detected (missed)||38.5%|
|Spam false positives||30.8%|
Click on the link above to see the full article.