Is there a standard for security metrics that can be used for the purposes of reporting e.g. senior management? The purpose of the security metrics is to communicate risk over a period of time for different domains e.g. asset management, identity & access management, vulnerability management, etc.
* Number of managed vs unmanaged assets.
* Number of devices patched vs unpatched over a period of 90 days
* Number of active accounts vs inactive accounts over a period of 90 days
* Number of privileged accounts
* Number of security events vs incidents
* Number of users that have completed training vs those who haven’t
* Number of users who have clicked on simulated phishing emails