Proposed ICT Security metrics

Here are some proposed ICT Security metrics which can be used in KPI for security reports and controls. This list is out of the blue and non exhaustive. They can be considered as monthly metrics to collect and to put in an MsExcel document (not an easy stuff, because it requires strong collaboration from the IT department), but possible



  • Infosec Team availability
  • Projects vs Operation (Hours allocated, if relevant)
  • Last training date
  • CPE hours reported


  • Current Security budget allocated (Awareness, Technology, Services, …),
  • Remaining Security budget.


  • Last Staff arrival awareness communication (global),
  • Last Staff arrival awareness communication (specific),
  • Number of people informed about the Security measures.

Machines,OS, and devices

  • Number of machines servers/desktops/laptops/mobile devices,
  • Number of laptop encrypted vs number of laptop,
  • Number of USB drives and storage used / connected,
  • Number of CD/DVD burned,
  • Number of server reboot (and reason),
  • Unsupported OS report,
  • Unsupported product summary report,

Data Loss

  • Last data loss report and financial impact,
  • Last device loss report.

Infections, Spam and Malwares

  • Number of Spam blocked in the Email filtering system,
  • Number of Virus detected (Email gateways, Web gateways, Computer AV, NextGen firewalls, …),
  • Number of web sites query blocked (Web gateways)
  • Number of DNS queries related to malware or botnets
  • Infected machines, replaced machines
  • Reported Virus and malware incidents.

Hacking and intrusion (no tool for that)

  • Number of attacks detected (IDS),
  • Number of DDOS detected,
  • Fraud reported internally / externally (phishing attacks),
  • Wrong login/password access on our Internet infrastructure (customer side included),
  • Number of Customers calls concerning Information Security or hacked email


  • Number of Critical vulnerability detected in our servers and infrastructure,
  • Number of Critical vulnerability detected in our internet infrastructure,
  • Number of new vulnerabilities discovered,
  • Last Pentest,
  • Next Pentest,
  • Delay between security patch announce and fix (internally users),
  • Delay between security patch announce and fix (internally servers),
  • Delay between security patch announce and fix (web servers),
  • Number of new servers installed,
  • Number of old servers decommissioned,
  • Number of machines vs number of anti-virus installed

Development, change and release management

  • Number of firewall policy changes,
  • Number of firewall emergency changes,
  • Number of Security fix remaining, to apply in applications in development,
  • Number of developer with access on production data,
  • Number of application released in production (global) vs number of applications reviewed by the Risk department
  • Number of new projects (global) vs number of new projects analysed by the Risk department,
  • New servers installed,
  • New network equipment installed,
  • New leased lines installed,
  • New vendors or application added to the IMDB catalogue

Access management

  • Number of new staff arrival (employees, students, consultants, trainees, workers),
  • Number of staff departure,
  • Number of staff move,
  • Number of password reset,
  • Number of users account locked,
  • Last spot-check of permissions,
  • Number of VPN access,
  • Number of VPN access granted this month,
  • Number of VPN access removed,
  • Delay between staff departure and closure of account,
  • Number of active account in AD,
  • Number of admin account in AD,
  • Number of Never Expire account in AD,
  • Number of remaining accounts not used after 6 month, and not disabled in AD.


  • Last recovery test ICT,
  • Next recovery test ICT,
  • Last recovery test Business,
  • Next recovery test Business,
  • Divers continuity tests
    • UPS
    • Diesel group
    • Systems and network cluster balancing
    • Critical business lines resilience (Bloomberg, Reuters, Recovery, …) , including Internet
    • Data restore via tape or replication
    • Internet connectivity test
  • Last business or ICT continuity incident (failure, need to restore, power outage, …),
  • Last fire evacuation,



Feel free to propose some others.


Be the first to comment

Leave a Reply

Your email address will not be published.