📊 보안 지표: Measuring What Actually Matters
"What gets measured gets managed. What doesn't get measured gets breached." — Hagbard Celine
"If you can't measure it, you can't prove it works. If you measure the wrong thing, you prove nothing. If you only measure what makes you look good, you prove you're lying to yourself."
🍎 The Golden Apple: Vanity Metrics vs. Real Security (or: How to Lie with Statistics While Feeling Secure)
Security teams love metrics. Dashboards full of numbers. Colorful charts. Executive briefings with upward-trending lines. It's security theater with better production values.
Most security metrics measure the wrong things. FNORD. Are you measuring security or measuring the appearance of measuring security? (Asking for a friend. The friend is paranoia.)
Number of policies written? Irrelevant if unenforced (PDF doesn't stop hackers). Security training completion rate? Useless if employees still click phishing links (compliance ≠ comprehension). Vulnerability scan count? Meaningless without patch deployment speed (scanning vulnerabilities you never fix is like diagnosing cancer and celebrating the diagnosis). The security-industrial complex sells tools that generate metrics that prove you bought tools. Circular reasoning is circular.
Measure outcomes, not activities. Measure risk reduction, not effort expended. Or keep measuring inputs and wondering why outputs still suck. Your choice. Nothing is true.
🛡️ The Five Categories of 보안 지표 That Matter
1. Detection & Response
How fast do you detect and stop attacks?
MTTD: Mean Time To Detect (hours/days). MTTR: Mean Time To Respond (hours). MTTR: Mean Time To Recover (hours).
2. Vulnerability Management
How fast do you patch critical risks?
Time to patch critical CVEs: Days from disclosure to deployment. Open high/critical vulnerabilities: Absolute count, trending down.
3. Incident Trends
Are you getting better or worse?
Incidents per month: Trending down? Severity distribution: More critical or more informational? Repeat incidents: Learning from failures?
4. Access Control
Who has access to what?
Accounts with excessive privileges: Count, review frequency. Unused accounts: Dormant credentials are risk. MFA coverage: Percentage of critical systems.
5. Security Awareness
Do users fall for attacks?
Phishing simulation click rate: Percentage clicking malicious links. Reported suspicious emails: User vigilance indicator. Policy violations: Incidents from user mistakes.
⏰ Leading vs. Lagging Indicators: The Paradox of Time
Lagging indicators tell you what happened. They're forensic evidence of your security posture—the crime scene photos of yesterday's decisions. Useful for autopsies. Not so useful for preventing the murder.
Leading indicators predict what will happen. They're the smoke before the fire, the tremor before the earthquake, the FNORD you almost didn't notice. They're uncomfortable because they reveal problems before they become disasters—and who wants to admit their house is on fire while there's still time to grab the extinguisher?
🔴 Lagging Indicators (Autopsy)
- Number of incidents: Counting corpses
- Breach impact: Calculating damage
- Time to remediate: How long you bled
- Compliance audit findings: Report card from last semester
- Security budget spent: How much you invested in yesterday
Looking backward feels safe. The disaster already happened. Nothing left to prevent.
🟢 Leading Indicators (Prevention)
- Vulnerability age distribution: How long known risks sit unpatched
- Patch deployment velocity: Speed from disclosure to protection
- Phishing simulation trends: User vigilance improving or declining?
- Security awareness engagement: Are people learning or clicking through?
- Access review completion rate: Proactive privilege hygiene
- Unpatched critical systems: Ticking time bombs still armed
Looking forward creates anxiety. The disaster hasn't happened yet. You could still prevent it. That means responsibility.
🤖 Automation: Measuring Without Theater
Manual security metrics are security theater with spreadsheets. If a human has to manually collect the metric, the metric lies. Not because humans are dishonest (though some are), but because manual collection introduces:
- Selection bias: "I'll just check the systems that usually pass..."
- Temporal drift: Metrics from last Tuesday pretending to represent today
- Sampling errors: "I checked 10 of 1000 servers, close enough!"
- Political optimization: "Let's wait until after that patch deploys to run the report..."
- Effort resistance: "This takes 4 hours, we'll do it quarterly instead of weekly"
Automated metrics don't lie. They just reveal truths you'd rather not see.
🛠️ Automation Stack Examples
- GitHub Advanced Security: Continuous code scanning, secret detection, dependency alerts
- AWS Config Rules: Real-time infrastructure compliance monitoring
- OpenSSF Scorecard: Weekly supply chain security assessment
- SonarCloud Quality Gates: Every commit quality and security validation
- FOSSA License Scanning: Continuous SBOM generation and license compliance
- GuardDuty: Automated threat detection without human intervention
📊 Continuous Measurement Patterns
- Every commit: SAST, secret scanning, dependency checks
- Every deploy: Container vulnerability scanning, SBOM generation
- Every hour: Infrastructure configuration compliance
- Every day: Vulnerability age trending, patch status
- Every week: OpenSSF Scorecard, access reviews, security posture
Think for yourself: If your security metric requires a human to manually collect it, ask why it's not automated. The answer usually reveals whether you're measuring security or measuring the appearance of measuring security. FNORD.
📊 Visualization: Dashboards That Tell Truth vs. Dashboards That Lie
Green dashboards are the opiate of security executives. "Everything's green! We're secure!" Translation: "I carefully selected metrics that make me look good."
Good security dashboards make you uncomfortable. They highlight problems. They trend risks. They show age distributions of unpatched vulnerabilities. They don't show "100% compliant" unless you're actually 100% compliant (you're not).
🎭 Dashboard Theater
- All green tiles: "Everything's fine!" (Narrator: It wasn't.)
- Percentage completions: "99% patched!" (1% = entire DMZ)
- Trend lines pointing up: "Improving!" (More scans ≠ more security)
- Compliance percentages: "97% compliant!" (3% = all authentication)
- Activity metrics: "Blocked 10M threats!" (9.999M = spam)
"Look at all these green numbers! We must be secure. Right? Right??"
✅ Truth Dashboards
- Red/Yellow/Green with context: "23 critical vulns, 19 >30 days old"
- Age distributions: Histograms showing how long risks persist
- Trend arrows (both directions): "MTTR improving, but MTTD worsening"
- Absolute counts: "4 unpatched critical systems in production"
- Ratio metrics: "800% net resolution rate (closed vs opened)"
Uncomfortable truths drive action. Comfortable lies drive breaches.
📋 Hack23's 보안 지표 Dashboard
Our metrics program focuses on risk reduction: ISMS-PUBLIC Repository | 보안 지표
- OpenSSF Scorecard Target: ≥7.0/10 — Supply chain security assessment across all repos (CIA: 7.2, Black Trigram, CIA CM)
- SLSA Level 3 Build Provenance — Cryptographically signed attestations for all releases (non-falsifiable provenance)
- CII Best Practices: Passing+ — Open source maturity badges (CIA, Black Trigram, CIA CM all passing)
- SonarCloud Quality Gates: Passed — Zero high/critical vulnerabilities, <3% duplication, ≥80% coverage target
- Vulnerability SLAs — Critical CVEs: 7 days, High: 30 days, Medium: 90 days (live tracking in GitHub Security)
- FOSSA License Compliance — Automated SBOM generation, continuous dependency license monitoring
- GitHub Advanced Security — Secret scanning, Dependabot alerts, CodeQL SAST on every commit
- AWS Security 서비스 — GuardDuty threat detection, Security Hub findings, Config compliance, Inspector vulnerabilities
🔍 GitHub 보안 지표: Real-Time Transparency
Hack23 practices radical transparency through live public security metrics. Our GitHub Security Organization Overview exposes actual vulnerability management performance:
- Current MTTR: 8 days (target: <7 days) — Honest about where we stand
- Alert Resolution Rate: 800% net positive (closed vs opened) — Aggressive remediation
- Secret Detection: 0 secrets bypassed (100% blocked) — Zero tolerance enforcement
- Alert Age: 29 days average (needs improvement) — Acknowledging gaps drives fixes
- Total Closed Alerts: 228 across all repositories — Historical remediation proof
- Autofix Adoption: 0 (opportunity for automation improvement) — Transparency includes weaknesses
This is what real security metrics look like. Not all green. Not perfect. Not hiding problems. Measuring actual security posture with automated tooling that can't be gamed.
🔍 The Five Principles of Effective 보안 지표
- Measure Outcomes, Not Activities - "Vulnerabilities fixed" > "vulnerability scans run"
- Focus on Trends, Not Snapshots - Direction matters more than absolute numbers
- Make Metrics Actionable - Every metric should drive specific decisions
- Avoid Perverse Incentives - Don't measure what can be gamed without improving security
- Report Honestly - Metrics revealing problems are valuable—hiding problems is deadly
🎯 Conclusion: Measure What Matters, Question Everything
Security metrics are observability for your defensive consciousness. Like meditation revealing mental patterns, metrics reveal security patterns. Are you getting more secure over time? Where are you weakest? What should you fix next? Good metrics answer these questions. Bad metrics avoid them.
The Five Metric Categories (Law of Fives naturally emerges): Detection & Response, Vulnerability Management, Incident Trends, Access Control, Security Awareness. Each measuring different dimensions of security reality. Together forming a complete picture—if measured honestly.
MTTD and MTTR show detection capability. Patching speed shows vulnerability management. Incident trends show learning effectiveness. Phishing rates show awareness impact. But only if you're honest about the numbers.
Most security metrics are vanity theater. Dashboards showing only green lights. "Number of phishing emails blocked" (measuring your mail filter, not your security). "Training completion percentage" (measuring compliance, not comprehension). "Vulnerability scans performed" (measuring activity, not outcomes).
Vanity metrics stroke egos. Real metrics drive improvement. Choose discomfort over delusion.
Metrics measure security. But metrics also CREATE security culture—or destroy it. Measure vulnerabilities found? Teams stop looking (bad news punished). Measure vulnerabilities fixed? Teams hunt obsessively (problems rewarded). Measure false positive rates? Analysts tune alerts carefully. Ignore false positives? Alert fatigue kills detection.
You become what you measure. Choose metrics that reward the behavior you want:
- Measure time to remediation → Teams fix faster
- Measure phishing simulation trends → Users learn vigilance
- Measure repeat incidents → Organizations learn from failures
- Measure coverage gaps → Teams close blind spots
- Measure false positive rates → Analysts tune quality over quantity
But remember Goodhart's Law: "When a measure becomes a target, it ceases to be a good measure." Metrics optimized become gamed. Question every metric—especially when it makes you look good. The metric that feels comfortable is probably lying to you.
Are you paranoid enough about your metrics lying to you? If your dashboard shows only green, you're either: (a) perfectly secure (you're not), or (b) measuring the wrong things. FNORD.
Think for yourself, schmuck! Question your security metrics. Especially when they tell you what you want to hear. Security theater performs measurement. Real security measures reality.