Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We define segmentedness as the fraction of potential node-pair communications disallowed by policy -- equivalently, the complement of graph edge density -- and show it to be the first statistically principled scalar metric for this purpose. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on Erdős--Rényi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.

翻译：网络分段是一种限制横向移动的常用安全实践，但从业人员缺乏衡量网络实际分段程度的指标。我们将“分段度”（segmentedness）定义为被策略禁止的潜在节点对通信比例——等价于图边密度的补集——并证明它是首个用于此目的的、具有统计学原理的标量指标。随后，我们推导出分段度的归一化估计量，并使用置信区间评估其不确定性。对于边际误差为 $\pm 0.1$ 的 95% 置信区间，我们证明至少需要 $M=97$ 个采样的节点对。该结果与网络中的节点总数无关，前提是节点对均匀随机采样。我们通过蒙特卡罗模拟在 Erdős–Rényi 模型、随机块模型和真实企业网络数据集上评估该估计量，证明了其估计的准确性。最后，我们讨论了该估计量的应用场景，例如基线追踪、零信任评估和并购整合。