What are Cybersecurity Metrics and KPIs?
Cybersecurity metrics and Key Performance Indicators (KPIs) are crucial indicators that help security teams analyze how their security controls function over time. Cybersecurity KPIs and cybersecurity metrics are terms often used interchangeably, but there is a slight difference between their meanings- while cybersecurity metrics are quantifiable measurements pertaining to security tactics and routine reporting of results, KPIs are measurables relating to long-term security strategies and goals. KPIs offer a broader business context of how the security program works, what has been implemented correctly, and which areas need attention, which allows security teams to continuously fine-tune systems and controls. The following is a list of cybersecurity metrics and KPIs that will help you to measure the effectiveness of your information security controls and strategies:
Threat Detection and Incident Response
- Mean Time to Detect (MTTD). This metric measures the average amount of time between when an incident occurs and when it’s detected.
- Mean Time to Response (MTTR): This metric measures the average time it takes for your team to neutralize a threat and regain control of any compromised systems.
- Mean Time to Contain (MTTC). This metric measures the average time it takes for your team to secure all compromised endpoints and attack vectors following a cybersecurity incident or cyberattack.
- Security training effectiveness. Results from phishing attack tests and cybersecurity awareness training quizzes can demonstrate security training effectiveness.
- Third-party security risk and compliance. Security ratings provide high-level overviews of third-party vendors’ security posture.
- Patching practices. Reports indicating how often your organization and third-party vendors review systems, networks, devices, and applications for updates that patch security vulnerabilities.
- Access management. Reports that log access and monitor access controls; may include number of users with superuser access, the average time it takes to deactivate former employee credentials, and third-party access review.
- Average delay and downtime. This metric tracks the average time systems are non-operational, whether for repair, corrective and preventive maintenance, or system failures.
- Average cost per cybersecurity incident. This metric includes factors like investigation, remediation costs, lost productivity, and overtime to determine how much it cost to responds and resolve a cybersecurity incident.
- Inventory of vulnerable and misconfigured systems. Reports from vulnerability scans, penetration tests, and patch releases provide information on the number of systems with known vulnerabilities and high numbers of misconfigurations.