Network segmentation is a popular security practice for limiting lateral movement, yet practitioners lack a metric to measure how segmented a network actually is. We introduce the first statistically principled metric for network segmentedness based on global edge density, enabling practitioners to quantify what has previously been assessed only qualitatively. Then, we derive a normalized estimator for segmentedness and evaluate its uncertainty using confidence intervals. For a 95\% confidence interval with a margin-of-error of $\pm 0.1$, we show that a minimum of $M=97$ sampled node pairs is sufficient. This result is independent of the total number of nodes in the network, provided that node pairs are sampled uniformly at random. We evaluate the estimator through Monte Carlo simulations on Erdős--Rényi, stochastic block models, and real-world enterprise network datasets, demonstrating accurate estimation and well-behaved coverage. Finally, we discuss applications of the estimator, such as baseline tracking, zero trust assessment, and merger integration.

翻译：网络分割是一种用于限制横向移动的常用安全实践，然而从业者缺乏衡量网络实际分割程度的指标。我们提出了首个基于全局边密度的、具有统计原理的网络分割度度量方法，使从业者能够量化以往仅能定性评估的内容。随后，我们推导出分割度的归一化估计量，并利用置信区间评估其不确定性。对于误差限为$\pm 0.1$的95\%置信区间，我们证明仅需$M=97$个随机均匀采样的节点对即可满足要求。这一结果与网络总节点数无关，前提是节点对均匀随机采样。我们通过在Erdős--Rényi模型、随机分块模型以及真实企业网络数据集上的蒙特卡洛模拟评估该估计量，证明了其估计准确性和良好的覆盖性能。最后，我们讨论了该估计量的应用场景，如基线追踪、零信任评估和并购整合。