Max & Raj - You both mentioned maturity models during yesterday's discussion. Here's an image of the operational security metrics maturity model from the book,
How To Measure Anything in Cybersecurity Risk. Is this a kind of maturity model you were thinking about?
Here's a very brief description of each maturity level.
Sparse Data Analytics (SDA): This is the earliest metrics stage, which uses quantitative techniques to model risk based on limited data. This can specifically be used to inform new security investments.
Functional Security Metrics: These are subject-matter-specific metrics based on early security investments. Most security metrics programs stop at this point of maturation.
Security Data Marts: Focuses on measuring across security domains with larger data sets.
Prescriptive Security Analytics: The amalgam of decision and data science.
------------------------------
Mosi Platt
------------------------------