The "C" and The "S" factors of Cyber Metrics

Next-generation Security Operations powered by the right combination of human and artificial cognition will ideally exhibit the capability to look through the network and detect “unknown threats” Make them "known" and feed then into systems powered by AI/ML as “known threats” to aid artificial cognitive abilities of the system for better detection in future and this is a continues a process. the proposed method for measurement of Identification and conversion of unknown threats to known threats is "C" the Threat conversion factor

i = total confirmed, actioned incidents from security systems (SIEM, E-mail, XDR, etc.. ) in a given time, let’s say a month

p = passive threat hunting incidents /exposure hunting against new known Indicators in a month

x = ∑(i+p)

h = number of threat hunting hypothesis proposed in a given time let’s consider a month

t= incidents yield from “h” in a month

C = Threat conversion factor  =  (t/x)

C(n) = C for (n)th month

ΔC = ?C(n)- C(n-1)?

If we plot ΔC for a period of 6 months we will see the maturity level of threat hunting and the unknown to know threat conversion

When we talk about breaches. A distinction must be made between infrastructure breach and network breach; the former is almost inevitable. People will find ways to get into the network through one way or the other and that is where the clock starts ticking before the data breach. The S factor is the proposed measure of the success rate of containing infrastructure breaches before the adversary gets hold of our crown jewels causing a data breach

   i = number of infrastructure breach incidents detected

  d = number of data breach incidents detected

  S = successfully averted before data breach = (i – d )

  S factor  = (i –d)/ i

While the C factor can be measured monthly, the S factor is relatively more relevant over a longer period of time.

Above metrics can be used for maturity assessments of cyber defense operations and by various interested parties like governance body, third party assessors, or even by cyber insurance providers