Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Ed Bellis
Ed Bellis
Connect Directly
E-Mail vvv

Stop Counting Vulnerabilities & Start Measuring Risk

When security teams report on real risk, executive teams can gain a much better understanding of the company's security posture.

As a security team, you are what you measure. The problem is that too many security teams are counting vulnerabilities, not measuring risk. It's time we examine how vital it is for security teams to establish risk-based metrics, while offering some examples of both the right and wrong measures to use.

Why is the distinction between these approaches so vital? It's essential for security teams to understand the spectrum of risk, based both on the likelihood of an incident and the potential damage that may result.

Fundamentally, risk measurement provides a way for security teams to work smarter. They can focus their time, budget, and resources on what matters most: reducing risk. Risk measurement also provides teams with a centralized way to accumulate, analyze, and report on risk, which helps significantly improve operational efficiency.

When you adopt a risk management approach, you focus on what poses the largest and likeliest effects on the business, effectively tracking and making progress toward the ultimate goal: reducing uncertainty. Contrast this with measuring the quantity of vulnerabilities, where metrics are focused on measuring work rather than outcomes.

Before we can discuss risk, let's establish definitions. Rather than starting from scratch, I'd suggest you take a look at these from the Open Group and Daniel Miessler:

It's often easiest to think of risk as uncertainty, and our job as security professionals is to remove as much uncertainty as we can.

The Problem: Security Can't Go It Alone
The security team has started taking a risk management approach and everything is going to be rosy, right? Not exactly. Once a security team embraces risk management, the hard work is just beginning. The rest of the organization needs to start following the team's example. How does security build support for risk management across teams?

For security teams and the business to succeed in reducing uncertainty, risk management must be incorporated into operations across the organization. When security starts to be part of operations — rather than an ad hoc afterthought— the critical efforts that need to happen, do happen.

To begin, focus on two key steps:

  • Measurement. Practitioners must make sure they're measuring actual risk. All key stakeholders should buy off on what is being measured and ensure actual risk reduction is being addressed.
  • Integration. Once you're reporting on risk, it's critical to make sure risk management is part of operations.

Step 1: Selecting the Right Metrics for Measuring Risk
I meet with practitioners from a wide range of industries and often see the same missteps. Chief among these is that security teams are measuring the wrong things.

More often than not, teams take a "best practices" approach. Security analysts may run a report and find their checklist of vulnerabilities has been unaddressed for longer than 90 days. Then they'll prioritize efforts based on this aging data, focusing on how long a vulnerability has existed. Likewise, I often see companies focusing on the security news of the day over items that may be less attention-getting but pose a greater risk.

Contrast these somewhat arbitrary approaches with a risk-based strategy. With a risk-based approach, you may realize that those older vulnerabilities don't pose as much risk, but that three vulnerabilities discovered yesterday pose both a great likelihood of resulting in an incident and significant potential damage to the business. With this insight, the need to remediate these three vulnerabilities sooner is clear.

When you focus on the quantity or aging of vulnerabilities, you deprioritize higher-risk items that have a high likelihood or impact.

These contrasting scenarios underscore the importance of tracking and reporting with the right metrics. Metrics are vital in guiding behavior and play a key role in measuring success, tracking progress, getting buy-in, and investing in new approaches

It can be far better to address one high-risk vulnerability than even 100 low-risk vulnerabilities. The key is to establish metrics and analytics that measure risk in an empirical, meaningful way, so you can make these calculations with clarity.

While specific metrics that are optimal will vary somewhat depending on the nature of the business and environment, there are some common do's and don'ts when it comes to choosing metrics.

Here are some metrics to avoid:

  • Total open vulnerabilities
  • Average vulnerability age
  • Total vulnerabilities open longer than X days

Organizations that use a risk-based approach can consider tracking a number of key metrics:

  • Remediation rate of high-risk vulnerabilities with breakdowns
  • Median time to remediate a high-risk vulnerability
  • Median time to discover a high-risk vulnerability
  • Number of high-risk assets (which is very different than tracking high-risk vulnerabilities)

By and large, if you're tracking these metrics and seeing progress, you are making real improvements in reducing risk.

Step 2: Integrate Risk Management into Operation Processes
When it comes to operationalizing risk management, don't start by trying to create new operational processes. Instead, focus on transparently integrating risk management into existing processes.

Too often, security teams create out-of-band tools and procedures — and results suffer. Under any circumstances, it will be challenging to get teams to focus on security activities. Creating unique tools and workflows significantly exacerbates this challenge.

To significantly enhance your odds of success, leverage existing teams' processes wherever possible. Look to bake risk management into existing tools and workflows that staff members are using every day, including bug tracking and incident management. In effect, you're starting with what everyone is doing today and applying a risk-based lens to it.

The Payoff of Operationalizing Risk Management
When security teams adopt risk management, good things start to happen for these groups:

  • Security staffers start measuring real risk and understand how best to reduce uncertainty.
  • Those in IT operations become more productive. They aren't stuck feeling like they're doing busywork for the security folks; rather, they get visibility into risks facing the business and how they can play a part in reducing them.

When security teams start tracking and reporting on real risk, executive teams can gain a much better understanding of the company's security posture, how it's changing, and, most importantly, which efforts and investments need to be made to improve it.  

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.


Ed Bellis is a security industry veteran and expert and was once named Information Security Executive of the Year. He founded Kenna Security to deliver a data-driven, risk-based approach to remediation and help IT teams prioritize and thwart would-be security threats. Ed is ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...