Example metrics
Go home

The graphics on this page have been used to illustrate various example metrics discussed on the blog.  The graphs were generated in MS Excel from totally fictitious numbers.  The colors are gaudy, we know, but we hope the examples will inspire you to think creatively about analyzing and presenting your security metrics, as well as perhaps prompting you to consider some novel metrics for your information security measurement system.

Improving trends

The stack of blocks represents a capability maturity model-type metric, hopefully in a way that stimulates management to make a concerted effort to improve from a low base.

Scoring a metric on the PRAGMATIC criteria is a great way to point out the pros and cons.


A simple smoothed line graph is great for showing trends.  In this example, we’ve identified critical and non-critical items separately: various other classifications or categories can be distinguished in this way, adding more depth and meaning to the numbers in a visually-appealing way.

The quality of an organization’s information security policies (plus the associated security standards, procedures and guidelines perhaps) speaks volumes about the importance or value of information security in management’s eyes.  It strongly influences compliance, too, hence this deceptively simple metric can be a powerful driver for improvement.

Policy quality
RAG map

Color-coded ‘maps’ representing various views of the organization offer a straightforward way to compare the security performance of different parts, the eye naturally turning to the reds in this example. 

The background map could be a physical/literal representation (e.g. the site layout) or a virtual representation (e.g. major business units or departments).  If the organization already uses similar map-type pictures in other contexts, why not use them for information security too?  It puts the audience on familiar territory.

The red-amber-green colors could represent different metrics or parameters, or perhaps successive time periods, in separate ‘overlays’.  In practice, some text would help explain!

It’s tempting to get fancy with the colors and line styles in Excel, and sometimes the visual impact is worth the effort ... but take it easy with the eye candy or you risk distraction, and perhaps ridicule.

Gradual reduction

Sometimes less is more.  The lack of a labelled Y axis in this chart was a deliberate decision.  The specific numbers don’t really matter in this particular example; it’s the downward trend that stands out. 


Cobweb/radar graphs and bubble charts are examples of creative ways to illustrate more complex data, although the more complicated the chart, the greater the risk that some of the audience will either be misled or will tune out.  That’s not to say they are unsuitable, rather that it pays to spend time explaining things, especially when presenting unfamiliar formats for the first time.  ‘Explaining things’ is much easier in person, which implies either a stand-up security metrics presentation at a seminar, meeting or workshop, or a one-on-one meeting to pore over a report and agree the actions arising.  Either way, the overriding consideration is to be crystal clear about the message.  If the presenter is as muddled as the presentation, it  is probably counterproductive and unhelpful.  Experienced managers can spot ‘smoke and mirrors’ a mile away!

Copyright © 2015 Gary Hinson & Krag Brotby