exeCution, rePorting, and analysis 243
we can determine the normal distribution or operating range of that
process. is is called process capability. Anything outside of that
range can indicate a malfunction in the process or an opportunity
for improvement. In VM, we might measure the number of vulner-
abilities found or remediated over time. Significant changes in these
numbers without a change in the number or classification of targets
can be a red flag on configuration management or VM processes.
One of the most common tools for monitoring the statistical vari-
ance in a process is a control chart. is chart in a manufacturing
process, for example, will show the number of defects over time for
a part. For the purposes of a VM application,