A big problem in the computer security world is that practitioners aren’t skeptical enough, don’t question authority statements and often don’t ask the right questions. A handful of controls, like those around social engineering and patch management, will quantify the vast majority of computer security risk in most environments. The real risk is all the time that the malware program (or hackers) went undetected (often called dwell time) before it was stopped and removed. In most cases, you need to enable an application/whistleblower program on each device to generate the data with minimum effort.”]
Source: https://www.csoonline.com/article/3273497/the-5-best-malware-metrics-you-can-generate.html