Final Week to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Metrics and Visualization

Featuring 4 Papers as of August 10, 2020

  • Improving the Bottom Line with Effective Security Metrics: A SANS Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - August 10, 2020 

    In SANS surveys, CISOs consistently report their major obstacle is the inability to obtain management commitment to increase cybersecurity resources and investment. This paper explores the results of the 2020 SANS Security Metrics Survey with both quantitative results about the overall state of metrics across cybersecurity operations, as well as interview-based qualitative results detailing success stories and best practices of security teams who have been collecting and presenting business-relevant security metrics.

  • Answering the Unanswerable Question: How Secure Are We? Graduate Student Research
    by Jason Bohreer - June 3, 2020 

    Business environments consist of invisible or ill-defined risk factors which create challenges with prioritization for business owners, systems owners, and IT/Security teams in their goal to improve their security position. The security of the environment relies upon the appropriate people understanding and addressing the risks. However, they typically do not have the relevant understanding, and therefore, the capability to act, due to the complexities of the defense-in-depth strategies. Security professionals have a good understanding of the relationships between the various controls and have numerous tools to consolidate logs and network traffic. However, while many of these tools are “best-of-breed” and operate within their information silos, they lack native methods to populate external systems to aggregate the findings in a risk-based approach which business stakeholders require to make decisions. By designing a framework to collect and measure different aspects of security, this research explores how to remove the operational fog that obscures our vision of our environments. With layers of fog removed, the improved clarity allows us to make quantitative assessments of our security by examining how security controls relate to one another.

  • Applying Data Analytics on Vulnerability Data by Yogesh Dhinwa - December 23, 2015 

    An organization with services spread across the globe depends on information technology and information systems. Adoption and compliance of information security standards have become mandatory for many organizations, especially those working under government regulations.

  • Security Data Visualization by Balaji Balakrishnan - October 28, 2015 

    The objective of this paper is to provide guidelines on information security data visualization and insights with repeatable process and examples on visualizing (communicating) information security data. Security data visualization can be used in many areas in information security.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.