““security vanity” metrics. They simply don’t provide the full picture of organizational security but rather lure practitioners into thinking they understand because quantification feels like real science—just as shamanism, humoralism, and astrology felt in prior eras.”
(An excerpt from the O’Reilly’s Security Chaos Engineering Book written by Kelly Shortridge and Aaron Rinehart)
Cybersecurity is a field that demands precision, adaptability, and an unwavering commitment to improvement. Historically, organizations have relied on tools such as compliance checklists, risk assessments, and performance metrics to navigate this intricate domain. While these tools offer some structure, they often fail to address the nuanced, dynamic realities of modern
threats. This paper examines the pitfalls of traditional approaches, advocating for a transformative integration of metrics, testing, observability, and systems thinking to foster robust, adaptable cybersecurity programs. Special attention is given to the misapplication of metrics, the need for contextualized interpretation, and the role of unquantifiable elements in resilience- building.
A Changing Threat Landscape
The complexity of today’s cybersecurity landscape cannot be overstated. Threats are evolving at an unprecedented pace, outstripping the capacity of traditional mechanisms to provide meaningful defense. Organizations often rely on established tools—compliance checklists, qualitative risk assessments, and metrics such as Mean Time to Respond (MTTR)—to assess and manage risk. While these tools offer clarity and structure, their inherent limitations often lead to false confidence, misaligned priorities, and superficial improvements.
To meet these challenges, cybersecurity must shift from static, subjective practices to dynamic, evidence-based methodologies. This requires a rethinking of how metrics are used, a commitment to real-world testing and measurement, and the adoption of systems thinking principles.
The Limitations of Metrics and the Need for Context
Misquoting Deming: The Myth of “If You Can’t Measure It, You Can’t Manage It”
A widely repeated phrase attributed to W. Edwards Deming— “If you can’t measure it, you can’t manage it”—has significantly influenced modern management practices, including cybersecurity. However, this attribution is misleading. Deming’s actual statement, as clarified by the Deming Institute, was: “It is wrong to suppose that if you can’t measure it, you can’t manage it—a costly myth.” This critical distinction underscores the risks of overemphasizing measurement at the expense of unquantifiable but essential elements of management.
Deming’s insight is particularly relevant to cybersecurity, where an excessive focus on metrics can obscure critical factors such as organizational culture, team dynamics, and adaptability. Measurement, while invaluable, is not a substitute for thoughtful management. It is a tool to inform decisions, not a panacea for complexity.
The “Catch-22” of Security Metrics
Metrics provide a tangible means of evaluating performance, enabling organizations to track progress, identify gaps, and communicate outcomes to stakeholders. For example, metrics such as Mean Time to Detect (MTTD) and phishing click rates offer quantifiable benchmarks for incident response efficiency and user awareness. However, metrics are inherently reductive. They simplify complex realities into numbers, which can lead to significant pitfalls:
- Contextual Blind Spots: Metrics often fail to account for the specific conditions of an organization. For instance, a low incident count might suggest strong defenses— or inadequate monitoring capabilities.
- Perverse Incentives: Focusing on narrowly defined metrics can encourage teams to prioritize specific targets over holistic, durable solutions.
- Ambiguity: Some metrics lack standardization, leading to inconsistencies in interpretation and reducing the reliability of comparisons across organizations.
Metric Overload and Decision Fatigue
The proliferation of metrics in cybersecurity dashboards can overwhelm decision-makers. Dozens of indicators often compete for attention, leading to:
- Superficial Compliance: Organizations may chase arbitrary benchmarks, such as patch compliance targets, without addressing underlying risks.
- Decision Fatigue: Overloaded dashboards can obscure what truly matters, reducing an organization’s ability to act decisively.
Tackling the Limitations within Subjective Devices
The Role of Subjectivity in Cybersecurity
Subjectivity permeates traditional cybersecurity practices. Risk assessments, for instance, often rely on qualitative ratings—“high, “medium,” or “low”—that reduce nuanced threats into oversimplified categories. Compliance checklists, while establishing a baseline, focus on adherence to standards rather than uncovering real-world vulnerabilities. Both approaches suffer from:
- Bias and Experience Dependence: Assessments reflect the subjective judgment of individuals, introducing inconsistencies.
- False Confidence: Compliance-driven approaches create a veneer of security, often masking critical gaps in real-world readiness.
A Fresh Approach: Empirical Testing, Measurement, and Observability
Testing as a Core Practice
Controlled testing provides insights into system performance that cannot be achieved through vendor claims or compliance documentation alone. Consider the evaluation of Endpoint Detection and Response (EDR) systems:
- Simulated Attack Scenarios: Testing fileless malware attacks, lateral movement, and data exfiltration reveals detection gaps and operational inefficiencies.
- Identifying Operational Weaknesses: Excessive false positives, uncovered during testing, may overwhelm security teams, reducing their ability to respond effectively.
Observability: A Window into System Behavior
Observability, the dynamic monitoring of system states through telemetry, enhances testing by providing real- time insights into anomalies. Unlike static metrics, observability captures the internal workings of systems, enabling teams to:
- Identify Hidden Defects: For example, observability tools might reveal disk I/O spikes and anomalous process activity during a simulated ransomware attack, enabling pre-emptive mitigation.
- Enable Continuous Improvement: Observability supports iterative fine-tuning of detection thresholds, reducing false positives and improving incident response over time.
Balancing Measurement with Qualitative Understanding
The Importance of Context
Metrics gain relevance only when contextualized within an organization’s specific environment. For instance:
- A low incident count might suggest strong defenses—or inadequate monitoring capabilities.
- A high compliance rate might indicate adherence to standards but could conceal systemic vulnerabilities.
Incorporating Qualitative Insights
Qualitative tools such as blameless postmortems and team debriefs complement quantitative metrics. For example:
- Postmortems: A detailed review of an incident might uncover systemic communication issues or cognitive biases that metrics cannot capture.
- Team Dynamics: Observing how teams collaborate during incidents provides insights into organizational culture and adaptability.
Feedback Loops and Systems Thinking
Feedback Loops for Continuous Improvement
A feedback loop integrates testing, measurement, and refinement into an iterative process that drives continuous improvement. For example:
- Simulating insider threats might expose delays in log correlation. By optimizing these pipelines and retesting, teams can confirm improvements and ensure durability.
Adopting Systems Thinking
Systems thinking views cybersecurity as an interconnected ecosystem, emphasizing the relationships between components. This approach encourages organizations to:
- Focus on Systemic Changes: Addressing systemic bottlenecks, such as those exposed during Distributed Denial of Service (DDoS) simulations, often requires improvements in communication and coordination, not just technical fixes.
- Anticipate Ripple Effects: Changes in one part of the system can impact others, necessitating a holistic perspective.
Toward a Resilient Cybersecurity Framework
The evolution of cybersecurity demands a balanced approach that integrates metrics, testing, observability, and systems thinking. Metrics, when contextualized and used judiciously, provide valuable benchmarks. Testing and observability reveal real-world performance, while qualitative insights address unquantifiable but critical factors like team dynamics and culture.
By embracing this integrated framework, organizations can move beyond superficial fixes and static evaluations to build cybersecurity programs that are robust, adaptable, and resilient. In a world of uncertainty and complexity, this balanced approach provides the clarity and precision needed to thrive.
References
- Deming Institute. “Myth: If You Can’t Measure It, You Can’t Manage It.”
- Leveson, Nancy. Engineering a Safer World: Systems Thinking Applied to Safety.
- Hubbard, Douglas W., and Seiersen, Richard. How to Measure Anything in
Cybersecurity Risk. - Dekker, Sidney. The Field Guide to Understanding Human Error.
- Busch, Carsten. If You Can’t Measure It…Maybe You Shouldn’t.
- Woods, David D., and Cook, Richard I. Behind Human Error.
- Shortridge, Kelly, and Rinehart, Aaron. Security Chaos Engineering: Developing
Resilience and Safety at Speed and Scale. O’Reilly Media, 2023.
Author: Aaron Rinehart
Aaron has spent his career solving complex challenging engineering problems and transforming cyber security practices across a diverse set of industries: healthcare, insurance, government, aerospace, technology, higher education, and the military. He has been expanding the possibilities of chaos engineering in its application to other safety-critical portions of the IT domain, most notably in cybersecurity