Key Performance Indicators for Vulnerability Management

For a better assessment and measurement of processes

Key Performance Indicators (KPIs) are metrics used to measure and evaluate the performance of a process. They are tied to business goals and help us to assess whether a process is meeting its goals and objectives and identify areas for improvement.?

In Vulnerability Management, Our Main Goals Are To

1. Identify vulnerabilities
2. Remediate vulnerabilities swiftly to keep our attack surface to a minimum

To measure how well we're meeting those goals, we can consult several KPIs. These may include:?

1. Scan coverage

Combining vulnerability data with asset inventory information allows us to monitor that our vulnerability management program covers all our assets or helps identify what we need to add. This KPI is vital for every vulnerability management program, as we wouldn't be able to detect or remediate any vulnerabilities if an asset is not in scope for vulnerability scanning.??

2. Remediation tasks closed

This KPI measures the number of vulnerabilities that have been successfully mitigated or fixed within a given time frame. A?higher number can indicate that we are effectively managing our exposures.?

3. Remediation progress over time

By tracking the number and status of remediation tasks over time, it will be transparent how many tasks are new, in progress, and successfully closed relative to all available remediation tasks. This metric helps us understand whether our vulnerability management efforts are improving, deteriorating, or remaining at a steady pace.?

4. Remediation policy compliance

The remediation policy contains our company's time objectives regarding how long it should take us at maximum to remediate vulnerabilities. The compliance KPI measures how many remediation tasks are passed the policy target and are managed insufficiently. A high score indicates ineffective management. Combined with planned target dates per remediation task, it can also mean deliberate delays (e.g., due to project dependencies) or lack of process diligence.?

5. Time to remediate

This KPI measures how long it takes us to remediate vulnerabilities. A shorter time to remediate can indicate that the organization has a more effective vulnerability management process.?

6. Remediation tasks by status over time

Ideally, remediation tasks quickly change their status from 'new' to 'in progress' and eventually 'closed' to demonstrate steady progress. By measuring these numbers, an overall trend of process diligence will become transparent.

7. Percentage of high-risk vulnerabilities

This KPI measures the rate of high-risk vulnerabilities. A lower percentage can indicate that the organization is effectively prioritizing and addressing its most critical vulnerabilities.?

Looking at multiple KPIs in combination can provide a more comprehensive understanding of the performance of a process than just one aspect by itself. For example, let's only look at the number of high-risk remediation tasks without considering scan coverage. We might conclude that we are effectively managing remediation tasks, while in reality, more and more assets are not included in the program. Similarly, looking at remediation tasks closed without taking the time to remediation into account could look like we are making steady progress when the task turnover is slowing down.?

Several snapshot KPIs help assess the status quo and inform what to focus on next.Those KPIs Could Include the Following

1. Remediation tasks by age and severity

According to the?Check Point Cyber Security Report 2021, 75% of attacks used at least two years old vulnerabilities. The older the vulnerability, the more likely the exploit. Focusing on older remediation tasks can significantly reduce the risk of a successful exploit.

2. Remediation tasks by score

As we typically face numerous remediation tasks, it is critical to use a metric that combines information. A sound?remediation score takes multiple factors into account, starting with asset value, the severity of vulnerabilities associated with the asset, the type of attack they are vulnerable to, the likelihood of an attack being successful, and the potential impact of a successful attack or known exploits. Based on the remediation score, we prioritize the long list of open remediation tasks according to criticality and urgency.?

3. Assets by the number of remediation tasks

In the spirit of big rocks first, working off the list of "worst offenders" will reduce the attack surface.

4. Individual topic statistics

There will be several topics that require more than a patch to be implemented. Some zero-days need swift mitigation by implementing a specific configuration or operating systems that are end-of-life without a direct upgrade path. These topics should be specified and tracked depending on the environment, as they are typically more urgent or simply more complex and time-consuming.

Snapshot KPIs can also shed further light on information provided by trend-based KPIs. For instance, when looking at the meantime to remediate and realizing that the meantime is increasing, we should consult the individual topics statistics to see whether we have more complex remediation tasks that require more effort and, as a result, take longer to be remediated.??

The value of KPIs lies in their ability to help us make data-driven decisions. By measuring and tracking specific metrics, we can identify areas of success and potential for improvement, for instance, due to a lack of automation or resource deficiencies. Based on KPIs, we can make more informed decisions about allocating resources and making changes to improve process performance. KPIs are also important for communication and reporting, as they provide a transparent view for stakeholders and upper management.?

In general, by monitoring these and other KPIs, organizations can identify trends and patterns in their vulnerability management program and make necessary changes to improve its effectiveness. After all, the more effective our vulnerability management program is, the less likely an exploit and the better resources are utilized.?

Reduce Vulnerability to Cyber Attacks with Vulnerability Management

The cybercrime industry is becoming more and more professional. Hacker attacks have become a very lucrative activity. In most cases, criminals are well-versed in a particular technique and are becoming increasingly creative in finding and exploiting potential vulnerabilities. To counter this threat, organizations must be consistent in implementing procedural vulnerability management, effective vulnerability remediation, and a high level of persistence.

About the Author

Christina Finck is an Information Security Consultant and the Product Manager of Arvato Systems' vulnerability management platform?VAREDY.