LR-301h · Module 3

Mitigation Effectiveness Metrics

3 min read

Mitigation effectiveness is measured by comparing the risk profile before and after control implementation. The key metrics: residual risk level (the risk that remains after the control operates), control effectiveness rate (the percentage of risk events the control successfully prevents or detects), and time-to-detection (for detective controls, how quickly the control identifies a materialized risk). These metrics tell you whether the control is doing what it was designed to do.

Do This

Measure residual risk against pre-mitigation risk — the delta is the control's contribution
Track control effectiveness rate over time — declining rates indicate control degradation
Benchmark metrics against industry standards where available — your 85% effectiveness may be above or below norm

Avoid This

Assume controls are effective because no incidents have occurred — absence of incidents could mean effective controls or insufficient detection
Stop measuring after the first year — effectiveness changes as the threat landscape evolves
Measure only lagging indicators (incidents) — leading indicators (near-misses, control triggers) are more actionable