Security Metrics / BSides Charm

Why Vulnerability MTTR Alone Misleads

Closure flow and backlog age are different signals.

Mean Time to Remediate (MTTR) shows the age of closed work. Mean Open Vulnerability Age (MOVA) shows the age of open work. Read together, they make remediation tradeoffs visible.

The deck uses one simulated team, fixed capacity, and two simplified closure patterns to show how prioritization choices change what the metrics report.

The goal is not to prove oldest-first is best. The goal is to read both signals before judging progress.

Core idea

Same records. Different slices.

Flow

MTTR

Mean Time to Remediate

How old was the work that closed in the reporting window?

Backlog age

MOVA

Mean Open Vulnerability Age

How old is the work still open right now?

MTTR is windowed. MOVA reflects open backlog age right now. If they disagree, the system is telling you where to look.

Read them together

What the pair reveals

  • Whether closure flow and open backlog age are moving together
  • Whether faster-looking closures are leaving older work behind
  • Whether a regression reflects slower work or older backlog getting cleared

What to report

Keep the dashboard focused

  • MTTR and MOVA in the same view
  • The time window used for MTTR
  • The measurement date for open backlog age
  • The risk context behind the movement

Prioritization

Fix what matters first

Use risk-based inputs first, then use MTTR and MOVA to see what those choices are doing to the system. Examples include CVSS, CISA Known Exploited Vulnerabilities (KEV), and the Exploit Prediction Scoring System (EPSS).

Takeaway

Read the system, not just the metric.

Use the pair to verify whether risk-based prioritization is producing the outcome you intended, and question the disagreement when the signals diverge.