The 5 baselines any CISO must use.

Martijn Dekker
4 min readJul 15, 2022

In our ever faster changing world, CISO’s need to know whether their security programs are keeping up with the evolving threat landscape. Here are 5 baselines that any CISO should use to measure the effectiveness of their security strategy.

The BOOM framework

This blog is nothing more than a shameless plug for the book “The metrics manifesto” written by Richard Seiersen. In this awesome book, Richard describes the BOOM framework (Baseline Objectives and Optimization Measurements). He describes 5 baselines that are foundational for measuring security performance and that allow you to articulate clear and measurable objectives to measure whether your security programs are actually making your environment more secure or not. Next to defining these terms, it also contains tons of details of how to implement the BOOM framework, including source code.

The BOOM framework consists of the following 5 baselines: survival analysis, burn-down metrics, arrival rates, wait times and escape rates. The baselines are based on the now common understanding among CISOs that events will happen and not all issues can be prevented. These baselines are designed to look beyond just counting events, but measure resiliency improvements instead.

Survival Analysis

The first baseline is about measuring the survival time of events. By understanding how long events (like vulnerabilities or other risk causes) survive in your environment, and how that depends on the type or severity of event, you are reducing the uncertainty about your risk exposure. An example of this baseline is: “50% of critical vulnerabilities live for 48 hours or longer”. You need to avoid using averages over clusters of types of events and gather as much fine-grained data as possible.

Burn-down Metrics

The second baseline is concerned with the ratio of removed risk (in a certain timeframe) over the total new risk that is out there. It measures whether you are mitigating risk faster or slower than the growth of risk. For example: if in the last month you had 100 new vulnerabilities, and your team was able to remove 60, the burn-down rate is 60%. Although this is lower than 100% and hence risk is increasing, if the burn-down rate was 50% the…

--

--

Martijn Dekker

Martijn had a PhD in pure mathematics, is top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.