Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We introduce the first statistically principled metric for network segmentedness based on global edge density, enabling practitioners to quantify what has previously been assessed only qualitatively. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on Erdős--Rényi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation and well-behaved coverage. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.

翻译：网络分割是一种用于限制横向移动的常用安全实践，然而从业者缺乏一种度量标准来衡量网络实际的分割程度。我们提出了首个基于全局边密度的、具有统计原理的网络分割度度量方法，使从业者能够量化以往仅能定性评估的内容。随后，我们推导出分割度的归一化估计量，并使用置信区间评估其不确定性。对于误差幅度为±0.1的95%置信区间，我们证明仅需至少M=97个采样节点对即可满足要求。该结果与网络中的总节点数无关，前提是节点对均匀随机采样。我们通过在Erdős–Rényi模型、随机块模型以及真实企业网络数据集上的蒙特卡洛模拟来评估该估计量，证明了其估计准确且覆盖性能良好。最后，我们讨论了该估计量的应用场景，例如基线追踪、零信任评估和合并整合。