Skip to main content

Security Metrics

Updated Jan 30, 2024 ·

Evaluating Security Programs

Organizations assess their security programs through specific metrics to measure efficiency and effectiveness. These metrics provide valuable insights into both the current and long-term health of the security framework.

  • Metrics assess critical security controls.
  • Measurements offer a snapshot and long-term view of security.
  • Predefined metrics ensure integrity and prevent bias in reporting.

KPIs and KRIs

Security programs utilize two main types of metrics:

  • Key Performance Indicators (KPIs)
  • Key Risk Indicators (KRIs)

Key Performance Indicators (KPIs)

KPIs help organizations track their security program’s performance by measuring how well it achieves its objectives. They focus is on historical performance to ensure continuous improvement.

Examples:

  • Decrease in security breaches
  • Increase in security clauses in SLAs
  • Time to implement security controls after identifying threats

Key Risk Indicators (KRIs)

KRIs identify and quantify potential risks, which enables organizations to anticipate and mitigate potential threats. They provide a forward-looking view of risk factors and the focus in on risk assessment

Examples:

  • Identify risks significant to the business
  • Measure reliability and sensitivity of risk indicators

Common KPIs for Security Programs

ITIL suggests nine KPIs that can guide security programs:

  1. Percentage decrease in security breaches.
  2. Reduction in the impact of breaches.
  3. Increase in SLAs with security clauses.
  4. Number of preventive measures implemented.
  5. Time between identifying threats and applying controls.
  6. Number of major security incidents.
  7. Security incidents causing outages or impairments.
  8. Number of security tests, training, and awareness events.
  9. Shortcomings identified during security tests.

KRIs Criteria

ISACA recommends choosing KRIs based on these criteria:

  • Impact: Identifies risks significant to the business.
  • Effort: Ease of implementation and ongoing support.
  • Reliability: Indicator's ability to predict risks.
  • Sensitivity: Captures variances in risk accurately.