Top Cybersecurity Metrics (KPI) to Track

Top Cybersecurity Metrics KPI to Track 768x292 1

Cyber security KPI or other Key Performance Indicators are established in different areas of every organisation to track and monitor the progress towards attaining a certain goal or target. Cybersecurity is no exception here, and companies should maintain proper cybersecurity KPIs. There are many blog posts available around this topic but in this article, we have gathered a list of important cybersecurity KPIs that every organisation should consider.

How many KPIs should be there?

Determining the number of KPIs a company should have is directly related to the goals and targets set by the organisation itself. Once the goals are identified the KPIs will become evident. Nobody other than the organisation itself can determine how many KPIs they need.

However, when creating KPI, priority should be defined to each KPI such as categorising them as Priority KPIs i.e. these indicators are vital in the cybersecurity program of the company and Relative KPIs i.e. these indicators matter but do not play a crucial role.

Creating an effective KPI

KPIs can be thought of as benchmarks, and when creating these benchmarks make sure that they are measurable. An effective KPI is one that is:

  • Simple i.e. easy to understand,
  • Actionable i.e. steps can be taken to achieve the KPI,
  • Measurable i.e. it can be quantified,
  • Relevant i.e. it pertains to the security program and
  • Time-based i.e. the KPI can be achieved within a defined time limit.

cybersecurity KPI 300x225 1

Why KPIs are important in cyber security

Information security is an ever-growing field where the threat landscape, offensive and defensive mechanisms, techniques and tactics are evolving every day. It is crucial for an organisation to stay ahead of the threat actors and protect the organisation’s assets.

By keeping a set of well defined KPIs the organisation can improve their overall security posture, measure the progress made in its security program and make decisions based on its growth.

Reporting the cybersecurity issues, concerns and developments to the board members also become easier when there are quantifiable numbers to back up the statements.

Cybersecurity metrics (KPIs) to track

Below are some of the major cyber security metrics (KPIs) and best practices that an organisation should keep track of:

Preparedness level

The overall preparedness of an organisation should be quantified such as against the Top 20 CIS controls. This will give a holistic view of the security posture and the cybersecurity efforts made by the organisation.

Meantime between failures (MTBF)

The time taken in between system or product failures should be recorded to detect the problems and issues within the system.

Meantime between failures MTBF

Meantime to detect (MTTD) and mean time to acknowledge (MTTA)

The time taken for the security team to detect a cyber attack or data breach should be recorded. This also identifies how long the attack went unnoticed.

The time to acknowledge should also be recorded which will reflect the amount of time taken from the detection phase to responding to the attack.

Meantime to resolve (MTTR) and mean time to recovery (MTTR)

The mean response time of any security incident should be recorded to know how much time the team takes to respond to a cyber attack after they become aware of this. The mean time to contain (MTTC) can also be calculated at this stage.

And if the cyber attack causes system failure or downtime, what is the team’s time to resolve these issues. Both these measures should be as minimal as possible.

Number of unidentified devices

The number of unidentified devices on the internal network should be monitored to ensure that no employee or third party connects any unauthorised devices within the network, as this can lead to introducing malware and other risks.

Number of intrusions in the IT environment

The number of times any intrusion attack or intrusion attempt takes place on any system should be recorded by the security operations center (SOC). This is show the attempted cyber attacks and unauthorised accesses that took place.

sem dashboard

Number of days for patching

The number of days it takes the IT department to deploy patch releases or update any vulnerable system should be recorded. This will give a clear window or timeline in which the company is at risk of attack because of vulnerable systems.

Number of cybersecurity incidents reported

The total number of cyber security incidents should be recorded as well as the number of times the employees report security incidents or suspicious activities. This shows that the employees are becoming aware of security threats.

Number of days take to deactivate unused/former employee credentials

This metric will help ensure if the IT and HR departments are working in sync. Ideally an employee’s access and accounts should be deactivated immediately after their departure. Failure to do so might lead to sensitive data exposure and difficulties in forensic investigations.

Number of systems with known vulnerabilities

When a company knows the number of its vulnerable assets, it can determine the risk exposure/data affected and act accordingly. Since the risk indicators are already known, the company knows how to handle them in such cases, such as patching, updating or replacing the asset.

Number of incorrectly configured SSL certificates

SSL certificates are necessary to ensure the company’s digital identity and secure transfer of information. The company should monitor and keep track of all certificates and reconfigure them where needed.

secure and insecure ssl certificates

Number of cybersecurity awareness training sessions conducted

The company should track the number of security training sessions they conduct each year. Employees should be well versed in basic security practices and what to do in case of a security incident.

cybersecurity awareness training session 300x225 1

Cybersecurity awareness training results

After conducting cybersecurity awareness sessions the organisation should keep track of the number of attendees as well as if the attendees understood the content completely.

Access management

This security performance KPI ensures that access to critical systems is monitored, access control is granted on the basis of the principle of least privilege, and monitoring the individuals with administrative privileges.

access management

Adhering to security compliance

If any security compliance such as ISO 27001, HIPAA, FISMA, GDPR etc. is applicable to the organisations are they compliant to the requirements and tracking, documenting, configuring systems accordingly?

Amount of non-human traffic (NHT)

Is the monitored traffic normal (with respect to amount, type of packets etc.) or does the traffic indicate malicious activities such as a potential botnet attack?

Monitoring virus infections

This KPI includes the quantity of malware or virus infections that took place. As well as the frequency of detection by the antivirus software. This KPI may also include the areas that the antivirus is scanning malware such as emails, laptops, servers etc.

Results for successful phishing attacks

This security KPI can cover two aspects, firstly if the company conducts phishing simulation tests so what are the results of those tests i.e., how many employees became victims of the attack simulations and how many reported the phishing email/call to the IT department.

Secondly, this covers the legitimate phishing attacks on the company employees and how many of those attacks were successful.

The cost incurred per incident

This KPI informs the higher security management what the cost of resolving and responding to a cyber incident will be. This includes the money that will be spent on the staff, investigation cost, downtime cost, communication with customers, any fines or penalties, replacement of systems etc.

Cost incurred per incident 300x225 1

Frequency of review of third-party accesses

More often than not third party vendors are granted access inside the IT infrastructure to carry out certain tasks. The frequency of these access along with monitoring whether this access is revoked after the activity is completed is crucial in protecting the company assets from unauthorised access. Failure to do so may lead to data exfiltration or other malicious activities.

Frequency of access to critical systems

Access to critical systems should always be monitored to ensure no unauthorised access takes place and tracking is possible in case of any incident. This will also indicate if any misconduct or attempts to access sensitive systems is made by an employee or if the systems are compromised.

Quantity and volume of data transferred via corporate network

When employees are given unrestricted access to the internet using the corporate network it is important to monitor the volume and quantity of traffic, so that it is easier to identify any misuse of the company’s resources. Furthermore it will be possible to track if employees are downloading prohibited software, streaming videos etc.

nta dashboard summary


Without effective and efficient KPIs it will not be possible for business to carry out informed decision making about their security efforts, goals, requirements and progress. A quantifiable value is necessary to ensure that everything is going according to plan, not to mention that facts and numbers are more understandable for C-suite executives.

Always try to set relevant KPIs regarding your cybersecurity performance so you would have a clear view of what is done and what needs to be done.

Article Contents

Related Posts

CREST penetration testing maturity model
Compliance and Regulations

Understanding the CREST Penetration Testing Maturity Model

Penetration testing, or pen testing, is a critical component of any organisation’s cyber security strategy, as it helps to determine vulnerabilities that attackers could exploit. However, simply conducting a pen testing exercise is not enough. Organisations need to ensure that their pentesting strategies, methodologies and programs are mature and effective to ensure that they are

Read More
crest defensible penetration test
Compliance and Regulations

Learn about the CREST Defensible Penetration Test (CDPT) and business benefits

CREST, a non-profit membership organisation that represents the global cybersecurity industry, has developed a specification called Crest Defensible Penetration Test (CDPT). This specification is designed to guide organisations in conducting penetration tests and utilising the test results to enhance their overall security posture and establish security programs during significant growth phases. By adhering to the

Read More
Scroll to Top