Metrics are the intended output of the ESPM. They are as the platform of the bridge. The metrics drive the connection from executives to operations as they contribute to the continued success of business operations. Every inch of a bridge is engineered; as should an information security management program.

The security profile score provides an overall view of the organization based upon the evaluation of each environment. "Too often, reports are made up of the easy-to-collect metrics or show a single metric instead of telling a story and providing useful information that drives action or shows business value" (Bruno, 2016). The ESPM metrics tell the cyber security risk story and are broken down into greater detail as it is presented to each level of management.
  • Tier 1 is an executive summary with a single security value, represented as a percentage of the proper implementation of all security controls throughout the organization. The executive summary scores also include an evaluation of the function scores. This enables top-level management to communicate with security and throughout the organization regarding the five functions of security; Identify, Protect, Detect, Respond and Recover.
  • Security management and other mid-level managers at the Tier 2 focus on the category scores within each function. For example, a Director of Security will inform executive management about the concerns of a low Recover function score and can pinpoint the weaknesses in the Recovery Planning category.
  • Further explanation, found in the Control Set Scores, show that the Recovery Planning control is failing in a specific environment within the organization.
Identifying risk at the operational level enables management to allocate resources within the budget to increase the performance and facilitate improvement in the 
security profile scores.