OWASP 2025 Global AppSec EU

Security teams love metrics - dashboards filled with vulnerability counts, alert volumes, and training hours logged. But do any of these actually make organizations more secure? The uncomfortable truth is that most security metrics are just vanity numbers—impressive in reports but meaningless in practice.

In this talk, I will focus on the science behind meaningful security metrics—the ones that actually reduce risk instead of just filling reports. I will introduce a framework that helps define metrics based on real security goals, rather than setting goals around whatever data happens to be available. From there, I will break down what constitutes a good metric, examining its structure and the common pitfalls that undermine its validity.

If your security strategy is built on unreliable metrics, it’s time for a reality check. This talk challenges industry assumptions and provides scientific backing to the fact that many widely used security metrics in the industry only weakly correlate with actual risk.