The document outlines the Exposure Index for IT security, which combines threat and vulnerability metrics to assess an organization's security posture. It details a systematic approach to normalizing and weighting these metrics to calculate vulnerability and threat indexes, ultimately leading to the overall exposure index. The model is designed to be scalable, customizable, and efficient for organizations of various sizes, with an emphasis on simplifying security assessments for management.

1. Exposure Index
An IT Security Speedometer Approach
Holger Himmel, Dr. Aleksandra Sowa

2. “Everything should be made as simple
as possible, but not simpler.”

3. Exposure = Threat + Vulnerability
= +
Data Breach = Hacker + Weak Encryption
Exposure Index = Threat Index + Vulnerability Index

4. Step One – Sort your Metrics
Question: Do your metrics measure threats or do they measure how vulnerable
you are?
IDS alerts
Client-side malware incidents
Firewall scans Failed login
attempts
Applications
up to date
Operating system
update quote
Attacker activity
on honeypot
Employee awareness
training quote
Number of
phishing mails
blocked
Accounts with
administrative
priviledges
Server
hardening
There are hundreds more…
Malware-pattern
update quote

5. Step One – Sort your Metrics
Your vulnerability metrics cluster like that:
“[…] the most important figures that one needs for management are unknown or
unknowable […], but successful management must nevertheless take account of
them.” - W. Edwards Deming

6. Step Two – The Vulnerability Index
1. Normalize your metrics.
What does it mean if your (whatever) metric says “89,2%” or “1,630”?
Is it good or bad?
Normalization puts the metrics into your context and lets you define what is
“good” and what is “worst case”.
To make it simple, lets give “good” a “0” and “worst case and beyond” a “10”.
In this example, 100% (protection) is “good” (=0) and “worst case” is “80%” (=10).
The scale is linear. Our metric delivers a value “89,2%”. So it is a “6”.
Normalization Scale
80,00% 10
82,00% 9
84,00% 8
86,00% 7
88,00% 6
90,00% 5
92,00% 4
94,00% 3
96,00% 2
98,00% 1
100,00% 0
„89,2%“ „6“

7. Step Two – The Vulnerability Index
2. Give each metric a weight to adjust the impact in your index system
There are metrics, measuring your vulnerability (or protection-level) that are
more important than others. Giving them an index weight, gives you the
possibility to increase the metrics impact in the index.
To make it simple, lets give “normal” a “1”.
So you got normalization and weight. Lets put it together:
Normscale
Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10
Metric 1 100,00% 0 1 X
Metric 2 92,70% 8 2 X
Metric 3 60,00% 10 1 X
Metric 4 99,70% 1 1 X
Metric 5 99,00% 1 1 X
Metric 6 80,10% 4 1 X

8. Step Two – The Vulnerability Index
3. Calculate the score
The formula is:
( ) = [ ∗ ]
! "
#
Normscale
Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10
Metric 1 100,00% 0 1 X
Metric 2 92,70% 8 2 X
Metric 3 60,00% 10 1 X
Metric 4 99,70% 1 1 X
Metric 5 99,00% 1 1 X
Metric 6 80,10% 4 1 X
Score = 0*1 + 8*2 + 10*1 + 1*1 + 1*1 + 4*1 = 32
Every child in elementary school should make it. It‘s simple!

9. Step Two – The Vulnerability Index
4. Calculate the index value in %
The formula is:
$ % & '$ ( =
∑ [* ( ∗ ]! "
#
∗ 100
$ % & '$ ( =
32
10 ∗ 1 + 10 ∗ 2 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1
∗ 100 =
32
70
∗ 100 = 45.7
Normscale
Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10
Metric 1 100,00% 0 1 X 10
Metric 2 92,70% 8 2 X 20
Metric 3 60,00% 10 1 X 10
Metric 4 99,70% 1 1 X 10
Metric 5 99,00% 1 1 X 10
Metric 6 80,10% 4 1 X 10
Score 32 70(=100%)

10. Step Three – The Threat Index
Your threat related metrics cluster like that:
All threat metrics have one thing in common: You‘ve got nearly no possibility
to control them.
“Blocked phishing mails” is a good example for metrics, you can’t influence.
You can’t set a goal like “Next month, I only want to count 100,000 blocked
phishing mails.” On vulnerability metrics, you are able to set goals:
“Next month, I want my malware patterns to be 100% up to date.”

11. Step Three – The Threat Index
1. Normalize your metrics. (That’s a little bit more tricky.)
Example: You measure 200,000 blocked phishing mails last month. Good or bad?
When you got an average of 6,000,000 blocked phishing mails per month, it’s
“good”. If you count 4,000 in average, it’s nearly “worst case”.
Thus, putting your threat related metrics in an historical context seems to be a
good idea.

12. Date Phishing Mails
August-14 943,407
September-14 1,632,682
October-14 1,218,232
November-14 898,688
December-14 1,211,293
January-15 1,228,161
February-15 660,670
March-15 1,920,309
April-15 1,286,725
May-15 983,008
June-15 691,404
July-15 824,108
Step Three – The Threat Index
1. Normalize your metrics.
One way to do it: Pick up 3 maximum values and calculate the average. That’s your
“worst case” (10) in your norm scale.
Example: You got these 12 historical values and your norm scale calculation is:
Maximum Three
1,920,309
1,632,682
1,286,725
Average
1,613,239
Normscale Absolute value Normalized Value
0% 0 0
-10% 161,324 1
-20% 322,648 2
-30% 483,972 3
-40% 645,295 4
-50% 806,619 5
-60% 967,943 6
-70% 1,129,267 7
-80% 1,290,591 8
-90% 1,451,915 9
90% and more 1,613,239 10
Your most recent value is „755,432”. Which gives you a normalized “5”.

13. Step Three – The Threat Index
2. Calculate the index value in %
The next steps (weight, score count) are similar to the vulnerability index.
4 '$ ( =
71
100
∗ 100 = 71
Normscale
Internal metrics Recent Comparison Percent Normalized Index Weight 0 1 2 3 4 5 6 7 8 9 10
Metric 1 755.432 1.613.239 46,8% 5 1 X 10
Metric 2 133 173 77,0% 8 2 X 20
Metric 3 521 639 81,6% 9 1 X 10
Metric 4 145 178 81,6% 9 2 X 20
Metric 5 11 16 67,3% 7 3 X 30
Other threat metrics
Cybersecurityindex.com 2.814 2.764 1,8% 2 1 X 10
Score 71 100

14. Step Four – Putting it all together
Calculate the Exposure Index
5(6 7 '$ ( =
$ % & '$ ( + 4 '$ (
2
5(6 7 '$ ( =
32 + 71
2
= 89. 8
Feel free to calculate differently!
32
71
51.5

15. Step Four – Putting it all together
low vulnerability
low or less threats
high vulnerability
high or many threats
high vulnerability / low or less threats
low vulnerability / many threats
Exposure = Threat + Vulnerability

16. The Model is…
• …scalable to suit any organization size, from small business to
big multinational companies
• …based on systematics of the German Federal Office for
Network and Information Security (Bundesamt für Sicherheit
in der Informationstechnik, BSI)
• …customizable, since based on metrics
• …efficient, if the appropriate metrics are chosen
• …flexible, since based on continuous security deployment
• …implementable as maturity model, if the set of metrics is
kept constant
• …brain-based - not only evidence-based

17. Last words
• The Exposure Index should be a starting point for drill-down
analysis
• Mind the “blind spot”!
• Suite the model to your needs
• It’s a model developed for the senior management
• Add metrics you need
• Make it simple, but not too simple!
• Your business intelligence team can support you!
• Start automation as early as possible
• Shorten your metrics-reporting-cycle (from monthly to
weekly, to daily)
• Define realistic norm scales

18. Feedback appreciated
Holger Himmel
himmel@posteo.de
https://de.linkedin.com/in/holgerhimmel
Dr. Aleksandra Sowa
a_sowa@web.de
https://de.linkedin.com/in/asowa
Further literature (german)
- H.Himmel, Index der Gefährdungslage, IT-Governance, May 2015, p. 17
- H.Himmel and A.Sowa, Ein Tacho für IT-Sicherheit, <kes> - Zeitschrift für
Informations-Sicherheit, August 2015, p. 37
Credits
Picture of Albert Einstein: Photographer: Yousuf Karsh, archived by www.calie.org
Tachometer: www.clker.com