Security teams measure performance through metrics like vulnerabilities remediated, security training completion rates, and mean time to detect incidents. When these measurements become performance targets, teams optimise for metrics rather than actual security improvement. This dynamic creates situations where metrics look excellent whilst security posture deteriorates. The problem isn’t measurement itself; it’s that metrics designed for observation become targets that distort behaviour. Teams game systems to satisfy metric requirements without delivering underlying security improvements metrics supposedly represent.
How Security Metrics Get Gamed
Vulnerability counts increase when security teams deploy more scanning tools, making programmes appear worse despite improved visibility. To satisfy reduction metrics, teams close vulnerabilities as “won’t fix” or narrow scan scopes to exclude problematic systems. Numbers improve whilst security doesn’t. Security training completion metrics reward getting everyone through training quickly rather than ensuring retention or behaviour change. Organisations achieve 100% completion whilst employees click through training without learning anything applicable to their roles.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: “Security programme assessments reveal organisations with impressive metric dashboards alongside serious security weaknesses. Teams optimised metrics through technical accounting rather than genuine improvements. When measurements become goals, they stop being useful measurements.”
Measuring Security Effectively
Focus on outcome metrics that resist gaming. Rather than counting vulnerabilities found, measure exploitation rate of vulnerabilities in production. Rather than training completion, measure phishing simulation success rates. Outcome metrics align team incentives with genuine security improvement. Combine quantitative metrics with qualitative assessment. Numbers provide useful data points but miss important context. Regular reviews that examine security posture holistically prevent over-optimisation on individual metrics at the expense of comprehensive security.
Regular web application penetration testing provides external validation of security metrics. Professional testing reveals whether metric improvements actually translate to reduced vulnerability against real attacks.
Rotate metrics periodically to prevent long-term gaming. When teams know exactly what gets measured, they optimise specifically for those measures. Changing metrics forces broader security improvements rather than narrow optimisation of known targets.
Working with the best penetration testing company includes independent assessment of whether security metrics accurately represent security posture or reflect gaming and manipulation.
Security metrics serve best as diagnostic tools rather than performance targets. Observing trends helps identify programmes needing attention, but tying incentives to metrics invites manipulation that defeats measurement purposes entirely.
