Example metrics
Go home

The graphics on this page illustrate various example metrics. The graphs were generated in MS Excel from totally fictitious numbers. The colors are gaudy, we know, but we hope the examples will inspire you to think creatively about analyzing and presenting your security metrics, as well as perhaps prompting you to consider some novel metrics for your information security measurement system.


The stack of blocks represents a capability maturity model-type metric, hopefully in a way that stimulates management to make a concerted effort to improve over time.

Scoring a metric against the PRAGMATIC criteria is a neat way to point out the highs and lows, its pros and cons.

Improving trends

A simple smoothed line graph is great for showing trends. In this example, we’ve identified critical and non-critical items separately: various other classifications or categories can be distinguished in this way, adding more depth and meaning to the numbers in a visually-appealing way.

The quality of an organization’s information security policies (plus the associated security standards, procedures and guidelines perhaps) speaks volumes about the importance or value of information security in management’s eyes. It strongly influences compliance, too, hence this deceptively simple metric can be a powerful driver for improvement.

Pie charts clearly indicate relative sizes of parts of the whole.

Here, the parts are sequenced logically by quality level. Ordering the parts by their sizes would further emphasize the size differences, and is useful if there is no logical sequence to the parts.

The percentages displayed in this example help clarify the relative proportions.

Policy quality
RAG map

Color-coded ‘maps’ representing various views of the organization offer a straightforward way to compare the security performance of different parts, the eye naturally turning to the reds in this example.

The background map could be a physical/literal representation (e.g. the site layout) or a virtual representation (e.g. major business units or departments). If the organization already uses similar map-type pictures in other contexts, why not use them for information security too? It puts the audience on familiar territory.

The red-amber-green colors could represent different metrics or parameters, or perhaps successive time periods, in separate ‘overlays’. In practice, some text would help explain!

It’s tempting to get fancy with the colors and line styles in Excel, and sometimes the visual impact is worth the effort ... but take it easy with the eye candy or you risk distraction, and perhaps ridicule.

Gradual reduction

Sometimes less is more. The lack of a labelled Y axis in this chart was a deliberate decision. The absolute values don’t matter in this particular example: the downward trend of whatever is being measured over time really stands out - and that’s the key message.

Oh, and by the way, ‘downward’ typically means risks or incidents are reducing in frequency/severity (good news! Things are getting better), but for other metrics ‘downward’ may indicate a situation is worsening. Be careful about confusing the audience by using a mixture of styles.


Cobweb/radar graphs and bubble charts are examples of creative ways to illustrate more complex data, although the more complicated the chart, the greater the risk that some of the audience will either be misled or will tune out. That’s not to say they are unsuitable, rather that it pays to spend time explaining things, especially when presenting unfamiliar formats for the first time. ‘Explaining things’ is much easier in person, which implies either a stand-up security metrics presentation at a seminar, meeting or workshop, or a one-on-one meeting to pore over a report and agree the actions arising. Either way, the overriding consideration is to be crystal clear about the message. If the presenter is as muddled as the presentation, it is probably counterproductive and unhelpful. Experienced managers can spot ‘smoke and mirrors’ a mile away ... having doubtless used the techniques themselves!

Copyright © 2021 Gary Hinson & Krag Brotby