The Application Security Podcast Aram Hovsepyan -- Your Security Dashboard is Lying to You: The Science of Metrics
6 snips
Jul 22, 2025 In this episode, Aram Hovsepyan, an OWASP core team member and entrepreneur known for his work on security metrics, unravels the fallacies behind conventional security metrics like vulnerability counts and CVSS scores. He introduces the Goal Question Metric framework, urging organizations to create dashboards that genuinely reflect security readiness. Aram discusses critical metrics that matter, including the often-overlooked mean time to resolution, and emphasizes the need for precise, reliable data to enhance overall security posture.
AI Snips
Chapters
Transcript
Episode notes
Security Dashboards Can Mislead
- Security dashboards often show metrics that don't correlate with real breach risks or security posture.
- Sole reliance on vulnerability counts and risk scores creates a false sense of security and misguides program optimization.
Use Goal Question Metric Framework
- Start metrics design with organizational goals, then frame questions before selecting metrics to measure progress.
- Use the Goal Question Metric (GQM) framework to align metrics meaningfully to goals and avoid meaningless data overload.
Key Qualities of Good Metrics
- Good security metrics must be reliable, precise, and valid to accurately measure security posture.
- CVSS scores often lack reliability due to subjective scoring, reducing metric repeatability and thus their usefulness.