A small e-commerce shop is building its security metrics program. You are asked to help in selecting the metrics that should be measured. The table on pages 4 and 5 of the document, Building a Security Metrics Program, provides examples of different metrics that an organization can use to assess their security posture and measure security activities associated with their infrastructure.

Discuss which of the metrics you think would be applicable in this scenario. How is each one important to the security metrics program?

What examples of operational security KPIs are applicable?