Security professionals are increasingly asked to provide metrics to track the current state of a company’s defenses. Metrics like mean cost to respond to an incident or mean time to patch are helpful if the organization has mature and highly optimized processes. Experts recommend focusing on metrics that influence behavior or change strategy. The window of exposure looks at how many days in a year an application remains vulnerable to known serious exploits and issues that have not yet been addressed. For example, it might make everyone feel good to see the number of intrusion attempts that were blocked, but there’s nothing actionable.”]
Source: https://www.csoonline.com/article/2976292/4-security-metrics-that-matter.html