Gamifying Security with Red Team Scores
Security metrics are an interesting topic.
Over the years I used “scores” as a tool to identify and shine light on problematic areas or highlight lack of engineering and security quality of certain teams.
A security score should not seen as an objective or absoulte measure, but it allows to compare systems with each other at a relative scale, and by sharing the score it makes people ask questions.
I have seen showing management ask vivid questions when they see a chart with their service and a score next to it: