The smart approach to selecting good cyber security metrics

When it comes to the need to manage cyber security, identifying and utilizing good cyber security metrics is essential. This allows organizations to manage their cyber risk more effectively. However, the literature lacks consensus on the properties and characteristics of good metrics. Hence, the objectives of this work are to explore and identify relevant technical metrics proposed by researchers in the cyber security domain, and then to assess them against the SMART (Specific, Measurable, Actionable, Relevant, and Timely) criteria to determine their feasibility and improve the quality of the selected security metrics. We identified 105 metrics, of which 23 passed the SMART criteria. The resulting set of metrics can be considered as a feasible set of metrics to implement. Additionally, we identified additional criteria that may be considered when assessing security metrics, most of which can be regarded as variants of the SMART criteria except two, wherein the metrics should be inexpensive to gather and independently verifiable via an outside reference.