List of Information Security Metrics to Track

Organizational

• Information Security Budget as Percentage of IT Budget
• Information Security Budget Spend Breakdown
• Percentage of Users With Security Exceptions
• Percentage of Staff Fully Trained on Infosec Awareness
• Compliance Percentages (PCI/SOX/HIPAA/etc.)
• Employee Behavior Metrics (hunting anomalies to correlate to risk factors)

Operational

Patch Management

• Average - Length of time to patch systems
• Average - Length of time to patch network components
• Percentage of systems in compliance with organizationally mandated configuration guidance
• Percentage of managed systems for which an automated patch management process is used
• Average - Length of time from patch release to patch installation

Vulnerability Management

Infrastructure

• Percentage of managed systems checked for vulnerabilities in accordance with the organization's policy
• Average - Length of time for the organization to mitigate identified managed systems vulnerabilities.

• Percentage of systems without“high severity vulnerabilities based on Common Vulnerability Scoring System (CVSS) scoring

Application

• Average - Length of time for the organization to mitigate identified Hackerone Submitted vulnerabilities.

Access Control and Identity Accessment Management (Okta)

• Average Number of Account Lockouts
• Percentage of users for whom privileges can be modified dynamically
• Percentage of such users whose privileges are modified dynamically
• Percentage of system services for which privileges can be modified randomly
• Percentage of such resources for which privileges are modified randomly
• Random reviews performed on privilege definitions/assignments [yes/no]
• Percentage of cyber resources to which access is controlled based on criticality
• Percentage of cyber resources to which access is controlled based on sensitivity
• Percentage of users with privileged/administrator access

Data Management

• Percentage of cyber resources which are backed up
• Percentage which are backed up into hot backups
• Percentage which are backed up into cold / archival storage
• Time since restoration / reconstitution processes were last exercised
• Average time to restore
• Average time to back up
• Frequency of backup

Business Continuity and Disaster Recovery

• Percentage of information systems for which annual testing of contingency plans has been conducted.
• Time between initiation of recovery procedures and completion of  documented milestones in the recovery, contingency, or continuity of  operations plan
• Time between event or detected circumstances which motivated recovery procedures and achievement of [minimum acceptable, target] mission MOPs
• Percentage of mission capabilities for which [minimum acceptable, target]  MOPs are achieved within [minimum threshold, target] period of time  since initiating event
• Percentage of mission-critical cyber resources which are recovered from a backup
• Size of gap between lost and recovered mission-critical resources (time service or connection was unavailable, number of records not recovered)
• Percentage of mission-essential processes and interfaces restored to pre-disruption state
• Length of time to reconstitute a key information asset from a backup data store
• Percentage of non-mission-critical resources which are recovered from a backup
• Percentage of cyber resources for which access control is maintained throughout the recovery process
• Percentage of cyber resources for which access controls at multiple levels  or using different mechanisms are maintained consistently throughout the  recovery process
• Percentage of cyber resources for which auditing or monitoring is maintained throughout the recovery process
• Duration of gap in auditing or monitoring for [mission-critical resource, non-mission-critical resource] during recovery.

Change Management

• Mean-time to Complete Changes
• Percent of Changes with Security Review
• Percentage of Changes with Security Exceptions
• Number of Non-managed Changes (outside of formal process)
• Percentage of cyber resources which can be reconfigured on demand
• Time between decision to reconfigure resources and completion of reconfiguration
• Percentage of cyber resources which can be [automatically, manually] reconfigured
• Time between decision to redeploy resources and completion of redeployment
• Number of differences between initial set of resources and redeployed set
• Percentage of cyber resources that are properly configured