CIS Consensus Information Security Metrics



Organizations struggle to make cost-effective security investment decisions, in part because information security professionals lack widely accepted, unambiguous metrics for supporting their decisions. To address the need for clear security metrics, CIS established a consensus group of industry experts. The result? A set of Consensus Security Metrics and data set definitions that can be used across organizations to collect and analyze data on security outcomes and process performance.

Download the Consensus Security Metrics

Back to Top


The team wanted to develop a collection of unambiguous, logically defensible outcome and practice metrics measuring:

  • The frequency and severity of security incidents
  • Incident recovery performance
  • The use of security practices that were generally regarded as effective

Back to Top

Security Metrics

A team of more than 150 government, private, and academic experts worked to reach consensus on an initial set of security outcome and practice metrics. These metrics cover the following business functions:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instances

Back to Top

Metrics Schema

In addition to developing these metrics, the CIS Security Benchmarks community is developing a metrics schema—an electronic format for sharing metric definitions, data sets, and results.

Back to Top

Current Initiatives

Back to Top

For More Information

If you're interested in joining our CIS Security Consensus Metrics Team, or if you have questions about our Security Consensus Metrics initiative in general, please contact us.

Back to Top