Cybersecurity KPIs to Track + Examples

From these cybersecurity KPI examples, you’ll learn which metrics to track in to ensure your business or organization is protected. 

KPI in cybersecurity 

Key performance indicators (KPIs) are measurable values demonstrating how effectively an organization achieves its key business objectives. Which KPIs your organization chooses depends on your industry and which element of business performance you’re looking to track. 

In cybersecurity, KPIs are effective in measuring the success of your security management program and aid in decision making. 

The importance of cybersecurity metrics

You can’t measure your security if you’re not tracking specific cybersecurity KPIs. 

A comprehensive security metrics program allows organizations to achieve a number of goals, including enhanced visibility, the ability to evaluate an internal security program against industry benchmarks, and improved decision making. KPIs ultimately help you demonstrate the value of your security department to key stakeholders throughout the organization. 

As shareholders, regulators, and boards of directors pay more attention to information security, providing cybersecurity metrics and context is becoming a more important task for many chief information security officers (CISOs) and chief information officers (CIOs).

Many organizations, however, miss the opportunity to implement comprehensive KPIs that enhance overall cybersecurity programs. 

A 2019 Risk in Review study by PricewaterhouseCoopers (PWC) found that just 22 percent of chief executives believe they receive sufficient risk exposure data to inform their decisions, and a 2018-19 EY Global Information Security Survey reported that 36 percent of financial services organizations worry about “non-existent or very immature” metrics and reporting. 

Because cyber threats are constantly changing, technology and processes used to prevent them also constantly change. Having measures in place to assess your cybersecurity program‘s effectiveness frequently is important for two reasons: 

1. It allows you to see the whole picture. KPI analysis, key risk indicators (KRIs), and security postures provide a snapshot of how your security team functions over time, or how effective your cybersecurity efforts have been and whether they’ve improved (or degraded). 
2. It improves communication with business stakeholders. Making a case for your cybersecurity efforts (and budget) is much easier with quantitative information you can use to show management or board members how seriously you’re taking the protection and integrity of sensitive information.  

The document, “Cybersecurity Metrics and Measures from the National Institute of Standards and Technology” further suggests that:

Cybersecurity metrics and measures can help organizations verify that their security controls are in compliance with a policy, process, or procedure; identify their security strengths and weaknesses; and identify security trends, both within and outside the organization’s control. 

Studying trends allows an organization to monitor its security performance over time and to identify changes that necessitate adjustments in the organization’s security posture. At a higher level, these benefits can be combined to help an organization achieve its mission by: 

• Evaluating its compliance with legislation and regulations.
• Improving the performance of its implemented security controls.
• Answering high-level business questions regarding security, facilitating strategic decision making by the organization’s highest levels of management 

Now that we better understand the importance of KPIs in cybersecurity, let’s look at some examples of KPIs and metrics to track. 

Choosing your KPIs

There is no authoritative list of cybersecurity KPIs and KRIs that all businesses or organizations should track. 

The metrics you choose will depend on your organization’s needs and risk appetite. Those metrics should, however, be clear to anyone looking at your reporting. For instance, your business-side colleagues should be able to understand them without an explanation. 

To choose the KPIs that are best suited for your business, take the following steps:

1. Write a clear objective for each KPI.
2. Share each KPI with stakeholders.
3. Review each KPI regularly.
4. Make sure each KPI is actionable.
5. Adjust each KPI as necessary to fit your business’s changing needs.
6. Confirm that each KPI is attainable.
7. Update each KPI objective as needed.

Examples of cybersecurity metrics 

• Non-human traffic (NHT): Are you seeing a normal amount of traffic on your website, or is there an uptick indicating a potential bot attack?
• Unidentified devices on the internal network: Your employees bring devices to work; your organization may be using Internet of Things (IoT) devices you’re unaware of. These devices probably are not secure, and can pose a huge risk for your organization. How many of these devices are on your network? 
• Intrusion attempts: How many times have malicious actors tried to breach your networks?
• Mean Time Between Failures (MTBF): How much time exists between system or product failures when determining reliability?
• Mean Time to Detect (MTTD): How long do security threats go unnoticed at your organization? MTTD measures how long it takes your team to become aware of a potential security incident. 
• Mean Time to Acknowledge (MTTA): What is the average time it takes you to begin working on an issue after receiving an alert?
• Mean Time to Contain (MTTC): How long does it take to contain identified attack vectors?
• Mean Time to Resolve (MTTR): How long does it take your team to respond to a threat once it’s aware of it?
• Mean Time to Recovery (MTTR): How long does it take your organization to recover from a product or system failure? 
• Security Policy compliance: How well are you tracking and documenting exceptions, configurations, and compliance controls?
• Days to patch: Cybercriminals often exploit lags between patch releases and implementation. How long does it take your team to implement security patches? 
• Cybersecurity awareness training: How well are you maintaining documentation for cybersecurity awareness training? Are you including all members of your organization, including senior executives? Who has taken (and completed) training? Did those people understand the material?
• Number of cybersecurity incidents reported: Are employees and users reporting cybersecurity issues to your team? If yes, that’s a good sign; the employees and stakeholders recognize the issues outlined in your training. 
• Security ratings: An easy-to-understand score is often the easiest way to communicate metrics to non-technical colleagues. A security posture score gives your company a grade on security categories including network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering. Based on these factors, your organization receives an overall grade, making it easy to see at a glance how secure your company is relative to others in your industry. 
• Access management: How many users have administrative access?
• Phishing attack success: What is the percentage of phishing emails opened by your employees?
• Virus infection monitoring: How often does your antivirus software scan common applications such as email clients, web browsers, and instant messaging software for known malware?
• Cost per incident: How much does it cost to respond to and resolve an attack? How much money are you spending on staff overtime, investigation costs, employee productivity loss, and communication with customers? 

Which KPIs measure security effectiveness

The KPIs you choose should be clear and relevant, and give a full picture of your organization’s cybersecurity measures. 

That said, metrics should focus on identifying assets and building lines of defense to best contribute to your organization’s efforts to protect the enterprise. KPIs should help optimize cybersecurity by allowing you to focus on stopping low-value activities, increasing efficiency, and reinvesting funds in emerging and innovative technologies to enhance your protection. 

You may also need to choose benchmarks for your vendors and other third parties who have access to your networks and can expose your organization to risk. 

To determine which KPIs to track, examine your organization’s overall security program maturity from the top down. Identify the main categories you need to measure and follow them with sub-metrics that contribute to the main categories’ overall scores.

When defining metrics, the most common mistakes made by organizations include:

• Not committing to make changes based on metrics
• Measuring too much, too soon, too little, or too late
• Measuring the wrong things
• Not defining metrics precisely
• Not using data to evaluate individual or personnel performance
• Using metrics to motivate rather than understand
• Collecting data that isn’t used
• Having a lack of communication and training
• Misinterpreting data

What makes a metric ‘SMART’

Metrics collected and reported should follow the “SMART” structure:

• Specific: targeted to the area being measured, not a byproduct or result 
• Measurable: data collected is accurate and complete
• Actionable: easy to understand the data and take action
• Relevant: measure what’s important about the data
• Timely: data is available when you need it 

How often to review cybersecurity KPIs

You should evaluate and monitor your KPIs continually, especially as new data becomes available. 

Always examine your cybersecurity metrics after a successful data breach, including any new information in your KPI reporting. 

Because there is no specific timeline guiding how often you should review your cybersecurity KPIs, conduct reviews based on the needs of your organization to best ensure that your metrics are working for you. 

Fortunately, there are tools to help. 

How to improve cybersecurity KPIs

Using governance, risk and compliance (GRC) software to help improve your organization’s KPIs is a no-brainer. Software-as-a-service (SasS) tools not only speed up the information aggregation process, they help stakeholders communicate better. 

ZenGRC from Reciprocity can make tracking your business’s metrics a breeze by automating most of the process. Simplifying the IT audit process, ZenGRC offers risk assessment modules giving insight into both vendor and company risk. 

Its Risk Trend and Risk Responsibility graphics provide easy-to-digest, color-coded visuals providing management with a view of the company’s current risk, making reporting on KPIs and cybersecurity metrics much easier for your organization’s CISO. 

To learn more about how ZenGRC can help your organization improve its cybersecurity KPIs and become more compliant, contact us for a demo today.