Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We define segmentedness as the fraction of potential node-pair communications disallowed by policy -- equivalently, the complement of graph edge density -- and show it to be the first statistically principled scalar metric for this purpose. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on Erdős--Rényi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.

翻译：网络分割是一种限制横向移动的流行安全实践，但从业者缺乏一种衡量网络实际分割程度的指标。我们将"分割度"定义为策略禁止的潜在节点对通信比例——等价于图边密度的补集——并证明它是首个用于此目的的具有统计原理的标量指标。随后，我们推导了分割度的归一化估计量，并使用置信区间评估其不确定性。对于误差幅度为±0.1的95%置信区间，我们证明至少需要M=97个采样节点对即可满足要求。该结果与网络中的节点总数无关，前提是节点对均匀随机采样。我们通过Erdős–Rényi模型、随机块模型以及真实企业网络数据集的蒙特卡洛模拟评估了该估计量，证明了其准确估计性能。最后，我们讨论了该估计量的应用场景，如基线追踪、零信任评估和并购整合。